Forum Discussion

Bartek's avatar
Bartek
Icon for Cirrus rankCirrus
Jul 12, 2019

remove "requires { http ssl-persistance }" from policy

Whenever I create a policy it adds it's own, default configuration snippets in the config. The one that gives me trouble is: requires { http ssl-persistence } When the policy is created, but only...
application delivery
BIG-IP
http ssl-persistence
TMSH
  • Bartek's avatar
    Bartek
    Jul 14, 2019

    OK, so i actually got it, and learned a ton about policies in the process.

     

    The most important thing is that the policy assumes http event if not told otherwise. In this case adding an "ssl-client-hello" after forward action changed this assumption to ssl event. This is also true for actions that (according to specs) have nothing to do with http - I guess something that F5 overooked.

     

    But wait, there is more - there is no way at all to add the ssl-client-hello while preparing the policy in GUI. You need to prepare it as far as possible and edit or modify the policy in TMSH (the latter is more elegant, but edit is easier and also does the job) to add the ssl-client_hello action. This automatically removes http from aspect and leaves just the desired ssl-persistence which in result allows to remove unwanted http profile from VIP.

Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP

I think the http profile is added as a required profile, because the cache option is set to 'cache at request time'. This is probably triggered at the 'HTTP_REQUEST event. The HTTP_REQUEST event requires a http profile. You could try to set it to 'cache at client accepted time'.

Bartek's avatar
Bartek
Icon for Cirrus rankCirrus
Jul 14, 2019

the pasted bit is just an example. The policies were performing SNI. I found the solution, and described it below. But thanks :)