For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jwhitepnv_12764's avatar
jwhitepnv_12764
Icon for Nimbostratus rankNimbostratus
Nov 10, 2004

Rule to support HTTP and HTTPS in the same VIP?

I have a legacy application that uses http over port 443 (no encryption) and I want to add HTTPS on that same IP and port. Can I create a rule that will listen for something like the Client SSL Hello ...
application delivery
dev
devops
iRules
bl0ndie_127134's avatar
bl0ndie_127134
Historic F5 Account
Nov 10, 2004
Yes, BigIP gives you the ability to inspect the request data and selectively enable/disable SSL encryption. In this example, we check to see if the first 5 bytes of data matches the start of some of the well known HTTP requests and use that information to enable or disable SSL.

NOTE: There have been some fixes to the TCP::collect rule that will be available on 9.02 that you will need for this rule to function properly. 

 
 class http_methods {      
    "GET”      
    “POST”      
    “HEAD”       
    “PUT”      
 }       
              
 when CLIENT_ACCEPTED {      
    TCP::collect 5      
 }       
       
 when CLIENT_DATA {      
    if { [matchclass [TCP::payload] starts_with $::http_methods] } {      
        SSL::disable      
    }      
 }