Forum Discussion
jwhitepnv_12764
Nimbostratus
NimbostratusRule to support HTTP and HTTPS in the same VIP?
I have a legacy application that uses http over port 443 (no encryption) and I want to add HTTPS on that same IP and port. Can I create a rule that will listen for something like the Client SSL Hello and if it's there, complete the SSL transaction and send requests back to a pool in support of the new users. Then if it's not there just send traffic back to the same pool unencrypted to maintain support for legacy users?
Thanks for your help in advance,
JWhite
2 Replies
- Yes, BigIP gives you the ability to inspect the request data and selectively enable/disable SSL encryption. In this example, we check to see if the first 5 bytes of data matches the start of some of the well known HTTP requests and use that information to enable or disable SSL.
NOTE: There have been some fixes to the TCP::collect rule that will be available on 9.02 that you will need for this rule to function properly.class http_methods { "GET” “POST” “HEAD” “PUT” } when CLIENT_ACCEPTED { TCP::collect 5 } when CLIENT_DATA { if { [matchclass [TCP::payload] starts_with $::http_methods] } { SSL::disable } } - Another thing to note is that this behaviour should in fact be supported without the need to write a rule. The command:
bigpipe profile clientssl [profilename] nonssl enable
Should enable this passthrough mode of operation. However, due to a bug, this isn't working out-of-the-box, and you'll have to use bl0ndie's rule. A fix for this has been checked in, and is scheduled for 9.0.3. We're tracking the fix under CR 42570.
