Forum Discussion

Bartek's avatar
Bartek
Icon for Cirrus rankCirrus
Jul 12, 2019

remove "requires { http ssl-persistance }" from policy

Whenever I create a policy it adds it's own, default configuration snippets in the config. The one that gives me trouble is:

requires { http ssl-persistence }

When the policy is created, but only conditions are defined the code looks like this:

ltm policy test_policy {
    last-modified 2019-07-12:05:56:41
    partition mnp_325-ssn
    requires { ssl-persistence }
    rules {
        a-sni23-routing-8004 {
            conditions {
                0 {
                    ssl-extension
                    ssl-client-hello
                    server-name
                    values { example.url }
                }
            }
        }
    }
    status draft
    strategy /Common/first-match

but the moment any actions are attached the "http" is added to the "required" line:

ltm policy test_policy {
    controls { caching }
    last-modified 2019-07-12:05:59:13
    partition mnp_325-ssn
    requires { http ssl-persistence }
    rules {
        a-sni23-routing-8004 {
            actions {
                0 {
                    cache
                    enable
                }
            }
            conditions {
                0 {
                    ssl-extension
                    ssl-client-hello
                    server-name
                    values { example.url }
                }
            }
        }
    }
    status draft
    strategy /Common/first-match
}

I've tried removing the required part with modify and edit commands, however once saved the part was always put back in the configuration.

Chances are I've been doing something wrong here, commands I tried were:

modify ltm policy test_policy
- require delete { http }
- require delete { http ssl-persistence }
- require non

 

I also tried to edit the policy and delete the http part. After I saved the config or just exited it was back there again. Perhaps this is where I'm doing something wrong...

 

This results in http profile being required in the VIP that the policy is attached to. And the http profile is causing some issues with my customer.

 

Now I know this is possible, because this is one of the profiles I found (on other partition) for the same customer:

 

ltm policy p-sni25-routing-443 {
  controls { forwarding }
  last-modified 2019-06-06:08:06:12
  partition mnp_233-dmz
  requires { ssl-persistence }
  rules {
    rule_1 {
      actions {
        0 {
          forward
          ssl-client-hello
          select
          pool p-sni25-p-7000
        }
      }
      conditions {
        0 {
          ssl-extension
          ssl-client-hello
          server-name
          values { example.url }
        }
      }
    }

 

The above code was modified at some point of time by my colleague (it had the same issue) who now suffers from selective long term memory losses (selective only to this action) and is unable to help more 😞

  • OK, so i actually got it, and learned a ton about policies in the process.

     

    The most important thing is that the policy assumes http event if not told otherwise. In this case adding an "ssl-client-hello" after forward action changed this assumption to ssl event. This is also true for actions that (according to specs) have nothing to do with http - I guess something that F5 overooked.

     

    But wait, there is more - there is no way at all to add the ssl-client-hello while preparing the policy in GUI. You need to prepare it as far as possible and edit or modify the policy in TMSH (the latter is more elegant, but edit is easier and also does the job) to add the ssl-client_hello action. This automatically removes http from aspect and leaves just the desired ssl-persistence which in result allows to remove unwanted http profile from VIP.

  • I think the http profile is added as a required profile, because the cache option is set to 'cache at request time'. This is probably triggered at the 'HTTP_REQUEST event. The HTTP_REQUEST event requires a http profile. You could try to set it to 'cache at client accepted time'.

    • Bartek's avatar
      Bartek
      Icon for Cirrus rankCirrus

      the pasted bit is just an example. The policies were performing SNI. I found the solution, and described it below. But thanks :)

  • Ssl extension conditions require ssl-persistence profile...

     

    so so you can’t remove it from policy

    • Bartek's avatar
      Bartek
      Icon for Cirrus rankCirrus

      I had no beef with ssl-persistence. It was the HTTP that gave me headaches. Anyway I found the solution eventually and described it below.

      Thanks

  • OK, so i actually got it, and learned a ton about policies in the process.

     

    The most important thing is that the policy assumes http event if not told otherwise. In this case adding an "ssl-client-hello" after forward action changed this assumption to ssl event. This is also true for actions that (according to specs) have nothing to do with http - I guess something that F5 overooked.

     

    But wait, there is more - there is no way at all to add the ssl-client-hello while preparing the policy in GUI. You need to prepare it as far as possible and edit or modify the policy in TMSH (the latter is more elegant, but edit is easier and also does the job) to add the ssl-client_hello action. This automatically removes http from aspect and leaves just the desired ssl-persistence which in result allows to remove unwanted http profile from VIP.