Forum Discussion
John_Lennon_457
Nimbostratus
NimbostratusProxyPass iRule and pools with both HTTP and HTTPS webservers
I'm using the ProxyPass v10 iRule that Kirk wrote to redirect to a pool based on URI. The webservers use HTTP except for one that requires HTTPS. All traffic comes in to a single host IP, same FQHN but I need to use a Reverse Proxy feature (I'm trying to replace Apache) to redirect based on URI to the correct pool, hence the need for the ProxyPass iRule.
I simplified the Data Group for simplicity, it would look like:
"/1" := "/1 PoolHTTP1",
"/2" := "/2 PoolHTTP2",
"/3" := "/3 PoolHTTP3",
"/4" := "/4 PoolHTTPS4",
My problem is with the last one, I don't know how to configure my VS and iRule to select HTTPS for the odd case, and keep HTTP for everything else.
The traffic flow would be:
users --HTTP--> LTM --HTTP--> PoolHTTP1-3
users --HTTP--> LTM --HTTPS--> PoolHTTPS4
In other words, users always connect to the same FQHN via HTTP, I need HTTP to the web servers in most cases and HTTPS for just one case.
Thank you in advance for your help.
hooleylistCirrostratus
Hi John,
I haven't tested this functionality, but the ProxyPassV10 rule seems to support server side SSL using a datagroup named ProxyPassSSLProfiles:From: http://devcentral.f5.com/wiki/default.aspx/iRules/ProxyPassV10.html The following code will look up SSL profile rules from the Data Group ProxyPassSSLProfiles" and apply them. The format of the entries in this list is as follows: All entries are separated by spaces, and both items are required. The virtual server also will need to have any serverssl profile applied to it for this to work.
Aaron
John_Lennon_457Aaron,
my understanding is that ProxyPass can select a different SSL Server Profile with the feature you pointed out, but it still requires the Virtual Server to have a generic ssl profile applied.
From the ProxyPass iRule:
The virtual server also will need to
have any serverssl profile applied to it for this to work.
and
log local0. "$log_prefix: ServerSSL profile must be defined on virtual server to enable server-side encryption!"
Do you have any other suggestion on how I could solve my issue?- hooleylistHi John,
If you want to specify a server SSL profile in an iRule, there must be a (any) server SSL profile on the virtual server. The ProxyPass iRule does a lookup for the currently selected pool in the ProxyPassSSLProfiles datagroup. If a match is not found, then the server SSL profile is disabled using SSL::disable. So I think this should work for your scenario.set profilename [findclass $pool ProxyPassSSLProfiles " "] if {$profilename eq ""} { if { [PROFILE::exists serverssl] == 1} { Hide this command from the iRule parser (in case no serverssl profile is applied) set disable "SSL::disable serverside" catch {eval $disable} } return }
Aaron - John_Lennon_457Thank you Aaron, I appreciate your help here.
Fabrizio_ChiavaHi,
I have a similar problem with ProxyPass v10. I need to rewrite:
"http://external_hostname/" := "https://internal_hostname:443 pool_test_443"
Is it possible to configure that?
Thanks a lot.
Ragards
Fabrizio.- hooleylistHi Fabrizio,
That looks like something to start testing with. If you add a server SSL profile name to the end of the datagroup value, does it work? If not, can you enable debug logging and reply here with your datagroup contents and the debug logging from /var/log/ltm?
Aaron - Fabrizio_ChiavaHi Aaron,
in first thanks for quick reply, I have to try it with profile ssl, I'll inform you asap.
Thanks a lot
Best regards
Fabrizio.