Forum Discussion
NimbostratusQuery on http profile in Virtual Server.
hi,
just to give background, Presently the Virtual server is listening on port 443 and HTTP profile - none selected.
I wanted to block particular string in url. I need to apply this i-rule to this Virtual server but i know HTTP profile need to be enabled in order for i-rule to apply to Virtual Server.
Question here is : what is the impact if i enable HTTP profile for virtual server ? Does it alter the exiting properties of Virtual server other than reading i-rule or any other performance issues?
I believe, when HTTP profile is enabled for VS, it will allow F5 to read the http content to process the i-rule but what else will get effected apart from i-rule getting processed.
Thanks in advance.
Regards,
Rajneesh
jaikumar_f5Noctilucent
To put in simple words, when a HTTP Profile is applied to a VS, the bigip considers it as a HTTP traffic. So with HTTP Traffic, think what all you can do, all sort of inspections on the L7 layers are applied with this.
Hope these articles Choosing appropriate profiles for HTTP traffic & Overview of the HTTP profile will give you some insights.
T_RajneeshThank you for your response. I knew it but my question is about impact or performance? I have backend Oracle servers...presently VS is accessed using 443 & no i-rule & don't have http profile applied. Now I need to apply i-rule to block certain strings inburl..for which I need to enable http profile..what is impact it has on existing traffic?
David_MCirrostratus
If you add an http profile to a VIP on 443 then you must also add a client ssl profile.
This puts your bigip in a MITM mode means it can decrypt the encrypted packets.
Depending on your backend you might have to use a serverssl profile too if the backend is on 443 as well, which I am guessing it is because when you create a VIP on 443 without a http profile, its acting as a SSL bridge with your backend server which also needs to be on 443. Means your bigip cannot see the encrypted data.