Proxy SSL and virtual command in iRule

Well, this is not secret iRule 🙂 just used one provided in Project Acceleration Tech article. Here is is:

    when HTTP_REQUEST {

   Insert Cookies for policy switching
  set setcookie ""
  log local0. "Cookie $setcookie"
  log local0. "Client [IP::client_addr] connected from switch"  
  switch [string tolower [HTTP::uri]] {
    "/none" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=none; Expires=Thu, 01 Jan 1970 00:00:01 GMT\""
    }
    "/tcp" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=tcp\""
    }
    "/compress" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=compress\""
    }
    "/ibr" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=ibr\""
    }
    "/img" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=img\""
    }
    "/reorder" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=reorder\""
    }
    "/spdy" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=spdy\""
    }
    "/http2" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=http2\""
    }
    "/oc" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=OneConnect\""
    }
  }

  log local0. "Cookie $setcookie"

  if { [string length $setcookie] > 0 } {  
    HTTP::uri "/"  
    set cmd "HTTP::respond 302 Location \"https://sklep.rossnet.pl[HTTP::uri]\" $setcookie"
    eval $cmd
    return
  } 
  if { [string tolower [HTTP::uri]] eq "/current" } {
    HTTP::respond 200 content "Current cookie setting for X-WA-Policy is: [HTTP::cookie "X-WA-Policy"]"
  }  

  set vip "/Common/v.dc.wa_default_0.app/v.dc.wa_default_0_vs"
  switch [string tolower [HTTP::cookie "X-WA-Policy"]] {
    "tcp" { 
      set vip "/Common/v.dc.wa_default_0.app/v.dc.wa_default_0_vs" 
      COMPRESS::disable
    }  
    "compress" { 
      set vip "/Common/v.dc.wa_compress_1.app/v.dc.wa_compress_1_vs" 
      COMPRESS::enable
    }
    "ibr" {
      set vip "/Common/v.dc.wa_ibr_2.app/v.dc.wa_ibr_2_vs" 
      COMPRESS::enable
    }
    "img" { 
      set vip "/Common/v.dc.wa_img_3.app/v.dc.wa_img_3_vs" 
      COMPRESS::enable
    }
    "reorder" { 
      set vip "/Common/v.dc.wa_reorder_4.app/v.dc.wa_reorder_4_vs" 
      COMPRESS::enable
    }
    "spdy" { 
      set vip "/Common/v.dc.wa_spdy_5.app/v.dc.wa_spdy_5_vs" 
      COMPRESS::enable
    }
   "http2" { 
      set vip "/Common/v.dc.wa_http2_6.app/v.dc.wa_http2_6_vs" 
      COMPRESS::enable
    }
   "OneConnect" { 
      set vip "/Common/v.dc.wa_oc_7.app/v.dc.wa_oc_7_vs" 
      COMPRESS::enable
    }
    default { 
      set vip "/Common/v.dc.wa_default_0.app/v.dc.wa_default_0_vs" 
      COMPRESS::disable
    }
  }

  log local0. "Virtual $vip"
  virtual $vip
}
when HTTP_RESPONSE {
  HTTP::header insert "X-DC-Virtual" $vip
}

Still from log with ssl debug enabled it looks like switching VS (with iRule attached) when set as Proxy SSL is trying to pass SSL Handshake to the member of the attached pool (single member pool). That looks logical looking on Proxy SSL definition in docs.

I am just looking a way to use https on the client (to test spdy and http2 profile - it's not possible to assign this profile to VS without enabling SSL termination on the VS) via switching VS to target VS (the one with spdy or http2 profile).

If I will terminate SSL on switching server the traffic passed to target VS in http and mentioned profiles will not work. If I will pass through ssl via switching VS (no decryption/encryption) then iRule will not work.

If I am using Proxy SSL on switching server then it is trying to pass SSL handshake to attached pool member before even reaching iRule (logical) so SSL Handshake is failing (member is http).

Just running out of ideas here 😞

Piotr