Forum Discussion

John_Lennon_457's avatar
Icon for Nimbostratus rankNimbostratus
Nov 30, 2010

ProxyPass iRule and pools with both HTTP and HTTPS webservers

I'm using the ProxyPass v10 iRule that Kirk wrote to redirect to a pool based on URI. The webservers use HTTP except for one that requires HTTPS. All traffic comes in to a single host IP, same FQHN but I need to use a Reverse Proxy feature (I'm trying to replace Apache) to redirect based on URI to the correct pool, hence the need for the ProxyPass iRule.



I simplified the Data Group for simplicity, it would look like:



"/1" := "/1 PoolHTTP1",


"/2" := "/2 PoolHTTP2",


"/3" := "/3 PoolHTTP3",


"/4" := "/4 PoolHTTPS4",



My problem is with the last one, I don't know how to configure my VS and iRule to select HTTPS for the odd case, and keep HTTP for everything else.



The traffic flow would be:



users --HTTP--> LTM --HTTP--> PoolHTTP1-3


users --HTTP--> LTM --HTTPS--> PoolHTTPS4



In other words, users always connect to the same FQHN via HTTP, I need HTTP to the web servers in most cases and HTTPS for just one case.



Thank you in advance for your help.


7 Replies

  • Hi John,



    I haven't tested this functionality, but the ProxyPassV10 rule seems to support server side SSL using a datagroup named ProxyPassSSLProfiles:



     The following code will look up SSL profile rules from 
     the Data Group ProxyPassSSLProfiles" and apply 
     The format of the entries in this list is as follows: 
     All entries are separated by spaces, and both items 
     are required.  The virtual server also will need to
     have any serverssl profile applied to it for this to work.



  • Aaron,


    my understanding is that ProxyPass can select a different SSL Server Profile with the feature you pointed out, but it still requires the Virtual Server to have a generic ssl profile applied.



    From the ProxyPass iRule:



    The virtual server also will need to


    have any serverssl profile applied to it for this to work.






    log local0. "$log_prefix: ServerSSL profile must be defined on virtual server to enable server-side encryption!"



    Do you have any other suggestion on how I could solve my issue?


  • Hi John,

    If you want to specify a server SSL profile in an iRule, there must be a (any) server SSL profile on the virtual server. The ProxyPass iRule does a lookup for the currently selected pool in the ProxyPassSSLProfiles datagroup. If a match is not found, then the server SSL profile is disabled using SSL::disable. So I think this should work for your scenario.

       set profilename [findclass $pool ProxyPassSSLProfiles " "]
       if {$profilename eq ""} { 
          if { [PROFILE::exists serverssl] == 1} {
              Hide this command from the iRule parser (in case no serverssl profile is applied) 
             set disable "SSL::disable serverside" 
             catch {eval $disable}

  • Hi,


    I have a similar problem with ProxyPass v10. I need to rewrite:



    "http://external_hostname/" := "https://internal_hostname:443 pool_test_443"



    Is it possible to configure that?



    Thanks a lot.






  • Hi Fabrizio,



    That looks like something to start testing with. If you add a server SSL profile name to the end of the datagroup value, does it work? If not, can you enable debug logging and reply here with your datagroup contents and the debug logging from /var/log/ltm?



  • Hi Aaron,


    in first thanks for quick reply, I have to try it with profile ssl, I'll inform you asap.



    Thanks a lot


    Best regards