Forum Discussion

omar_padilla's avatar
omar_padilla
Icon for Altocumulus rankAltocumulus
Oct 12, 2019

problem to redirect by uri and apply ssl server profile

Hello, I will try to explain my situation.

I have a server that runs 3 different applications, all will be published under the same domain.

example

resource1 port 80 http

resource2 port 81 http

resource3 port 82 https

resource4 port 443 https

 

resource1, resource2 and resource 3 and resource4 are the applications that run on the server.

all will be published with the same ip on the virtual server under the same domain and as the real server says it is only one.

 

Even there to redirect the traffic for each application does not have more complexity, irule or policy l7. creating a pool with the pool member in different ports:

pool1 server: 80

pool2 server: 81

pool3 server: 82

pool4 server: 443

then just create my irule that for each path addresses each pool

 The complicated thing is that 2 of them run on https.

Of course it is not possible to create virtual servers with different ports to differentiate traffic, it is not feasible for the business.

 

Then this brings me to the following scenario:

How do I do with the ssl traffic?

Then it occurred to me to define the virtual server with a client ssl profile and I could perform the ssl offloading get it uri and execute the logic of my irule.

 

Here the problem is to re-encrypt the traffic since as I mentioned, some services run on https.

 

I have the logic of the Irule that I have seen in many articles, I am performing a simple test with a single uri on a test server to test:

 

--- irule as an example with a single test server -----

when HTTP_REQUEST {

set uri [HTTP :: uri]

}

when SERVER_CONNECTED {

 if {$ uri equals "/dvwa/index.php"} {--------> unique uri test

 

 SSL :: profile serverssl

  pool Pool_test test pool

 }

else {

  reject

 }

}

 

I understand that in order to encrypt the traffic the pool member must listen to 443.

 

When performing the test, without the SSL :: profile serverssl line the logic does work, but for some reason I cannot activate the ssl profile or encrypt the traffic.

 

I also tried placing

 

 SSL :: enable ----> enable ssl

 SSL :: profile serverssl

  pool Pool_test> test pool

 }

 

but this is not working

 

make the captures applying this irule (see image)

 

virtual server

 

 

pool

 

 

irule

 

 

application delivery
iRules
LTM
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Oct 13, 2019

    you shouldnt try to enable it in the iRule, you enable it by default with the Server SSL profile and then disable it for pool that don't do SSL/TLS.

     

    so it is the other way around.