Forum Discussion

vadimzhukov_122's avatar
vadimzhukov_122
Icon for Nimbostratus rankNimbostratus
Oct 24, 2013

Redirection to pools failing

I have strange (for me) issue with a simple (looked to me) process. Trying to direct calls to Virtual Server to different pools depending on the host name/uri content. Physical server is running IIS7...
application delivery
deployment
devops
iRules
Richard__Harlan's avatar
Richard__Harlan
Historic F5 Account
Oct 25, 2013

First for why we have to see the Payload your iRule is below

when HTTP_REQUEST { 
if {[HTTP::uri] contains "myfirstsite.com" } { 
pool RHDIIS1_OnLAPP_HTTPS 
} else {pool RHDIIS1_Sites_Pool_HTTPS} 
}

In a HTTP transaction the Data is encrypted, the f5 will not see the string myfirstsite.com. The encrypted data will in no way match what the plain text of the data will decrypt to. So with out the F5 either terminating the SSL connection or doing SSL pass through the unit will never see the GET/POST/Head and such and never fire the when HTTP_REQUEST, again because all this data will be in a encrypted format. So this is not a design flaw with the F5 it is how encryption works it secures the data between the parties in the conversion.

Now for the second question, the f5 has a setting on the pool that action on pool member down. By default it is set to none, you can set this to reselect and the unit will make a new LB choice. Now for pure HTTP this mite not work as looking at the pool members it looks like they are HTTPS only. Again the will not accepted the connection. As they will be waiting for the client to send the CLIENT HELLO instead the browser will send a Get/POST/etc request causing the server to terminated the connection.

Now you can support both HTTP and HTTPS on the same VIP

https://devcentral.f5.com/questions/rule-to-support-http-and-https-in-the-same-vip

so the link would look like the following HTTP://www.something.com:443 or HTTPS://www.somthing.com

Now if you are wanting the F5 to redirect traffic from on pool member to another you can enable OneConnect for the HTTP traffic. Note if you try to switch HTTPS traffic from one server to another the server should reset the connection as the connection is again in a encrypted state and the session key is not on the unit in question so it will not know how to read or respond to the traffic. It will be forced to end the connection and the browser should reopen the connection and the client and server will setup a new encryption session.

Now another option for you is to use TLS hostnames or wild card SSL cert. With either you can have one VIP service both connection each give out a cert the browser will support.