Forum Discussion

Deon's avatar
Icon for Nimbostratus rankNimbostratus
Nov 08, 2011

ProxyPass and both HTTP and HTTPS pools

I am using ProxyPass v10.3 (Sept 27, 2010) and am having difficulty getting it to work with one alternate pool that needs to have server side SSL. All backend member app servers use HTTP except for one that I need to use HTTPS. I was able to get ProxyPass to work if I switched this one backend server to HTTP but now that I switch it back to HTTPS I can't figure out the right config to add so it will work.



The VIP default pool is HTTP and the alternate pool (SCC_dev) specified in ProxyPass is the one that needs to be HTTPS - only for a very specific URI pattern. After my success with HTTP on this backend connection I changed the following in an attempt to get HTTPS on this pool working with the iRule.


* Changed app server to listen on HTTPS in place of HTTP.


* Switched from HTTP to HTTPS health monitor. SCC_dev pool is being marked as up so things on the back for this pool appear to be good as far as SSL setup.


* Created string Data Group named "ProxyPassSSLProfile" with one entry as follows:


SCC_dev := serverssl


* Added plain old "serverssl" to the VIP.




The result is that the app does not function at all. The "serverssl" profile on the VIP causes the communication on the main pool to be nonfunctional. I presume this is because the default pool for the VIP is HTTP and adding the server side SSL profile messes things up. I was reading posts about what I am trying to do and found this one that is useful




The detail about how the ProxyPass iRule searches the ProxyPassSSLProfiles data group for the current pool and how it disables server side SSL if the pool is *not* found describes how I believe my current setup should function. The default pool is *not* in the ProxyPassSSLProfiles data group.




I thought maybe the format of my data group name/value pair was incorrect and causing the issue. Note the one entry I detail above includes the separator " := " whereas the comment in the iRule appears to elude to using only a space separator/delimiter. I could not figure out how to create a data group with only a space separator. I added some logging to the SERVER_CONNECTED section of code which contains the findclass search for the pool name in the ProxyPassSSLProfiles data group. What I discovered is that $bypass is set to 1 so the return at the very top of the event code is executed, thereby bypassing all of the pool and sslprofile disable logic that is in this event.




I am not sure what to try next. Thanks in advance for your help!




1 Reply

  • Hi Deon,



    Did you ever get this working? If not, and you still want to, can you enable debug in the iRule, reproduce the issue and post the logs from /var/log/ltm?



    Also, you might try testing with the current ProxyPass version posted here: