Forum Discussion

Brian_Dantzig's avatar
Brian_Dantzig
Icon for Nimbostratus rankNimbostratus
Jul 03, 2012

selective drop of SSL

I have a virtual server that has client and server ssl profiles so that incoming HTTPS is terminated then after processing is re-encrypted to the pool. There is an iRule that inspects the HTTP requests and for certain paths it changes the pool. I have done this before. However, I want to send some requests to a pool of servers that are HTTP not HTTPS. I tried this once before by dropping the encryption in the iRule but that drops it for all subsequent requests down the connection including ones destined for the encrypted pool/servers.

 

Any ideas on how to accomplish this?

 

application delivery
dev
devops
iRules
  • Eric_St__John's avatar
    Eric_St__John
    Icon for Employee rankEmployee
    Jul 03, 2012
    Depending on how many paths you would like to exclude from encryption, you could use a couple of different methods. The simplest method for a single path: 

    when CLIENT_ACCEPTED {
  SSL::disable serverside
}

when HTTP_REQUEST { 
  if {!([string tolower [HTTP::path]] starts_with "/standardhttppath") } {
    SSL::enable serverside
    }
}
 Or, if you have many paths that you would like to list in a data group (called 'standard_http_dg' in this example) 
 when CLIENT_ACCEPTED {
  SSL::disable serverside
}

when HTTP_REQUEST {
  if { ![class match [string tolower [HTTP::path]] starts_with standard_http_dg] } {
    SSL::enable serverside
    }
}

    Regards,

    Eric
  • Brian_Dantzig's avatar
    Brian_Dantzig
    Icon for Nimbostratus rankNimbostratus
    Jul 03, 2012
    Thank you. I'll give it a try. Are there performance concerns with this? It looks like we might be doing a lot of extra SSL negotiations.