For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

James_Thomson's avatar
James_Thomson
Icon for Employee rankEmployee
Dec 09, 2004

selective re-encryption

I'm trying to have a vip with ssl acceleration enabled accept traffic, inspect it, if it is html, re-encrypt it and send it to a secure serverpool. If it is .gif, just send it to a port 80 pool.

 

 

I'm trying something like:

 

 

when CLIENTSSL_HANDSHAKE {

 

if {HTTP::uri ends_with "gif"} {

 

pool img_pool }

 

elseif {HTTP::uri ends_with "html" }

 

then use pool html_secure_pool}

 

 

I don't know what to use to re-encrypt the data to the secure server. Also, would I need to wait for HTTP_REQUEST after CLIENTSSL_HANDSHAKE or is that enough?

 

If I gave the vip a server ssl profile, could I then just parse out the gif's and just leave the rest alone?

 

 

Any help would be appreciated.

 

application delivery
dev
devops
iRules

4 Replies

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Dec 09, 2004
    This is what I think you want: 

      
  when HTTP_REQUEST {   
     if {[HTTP::uri] ends_with "gif"} {   
        pool img_pool  
     } else {  
        pool html_secure_pool  
     }  
  }  
  when SERVER_CONNECTED { 
     if {[TCP::remote_port] != 443} { 
        SSL::disable 
     } 
  }

    The above example is courtesy of drteeth.

    You could even just put the html_secure_pool on the virtual and then remove the "else { pool html_secure_pool }" part of the rule since the pool on the virtual is considered the default pool.

  • James_Thomson's avatar
    James_Thomson
    Icon for Employee rankEmployee
    Dec 09, 2004
    I made the fallback pool the secure pool in the virtual.I have a clientssl and serverssl profile associated and an http profile associated as well.

     

     

    With this rule:

     

     

    when HTTP_REQUEST {

     

    if {[HTTP::uri] contains "index3"} {

     

    pool server2

     

    serverside {SSL::disable}

     

    }

     

    }

     

    I get this error in /var/log/ltm

     

     

    Dec 9 22:21:28 tmm tmm[690]: 01220001:3: TCL error: Rule selective - Error: connection has no peer! (line 3) invoked from within "serverside {SSL::disable}"

     

     

    Any ideas? Do I need to do anything with SSL::verify result?
  • James_Thomson's avatar
    James_Thomson
    Icon for Employee rankEmployee
    Dec 09, 2004
    With that last part, it got rid of the error and worked:

     

     

    when HTTP_REQUEST {

     

    if {[HTTP::uri] contains "index3"} {

     

    pool server2

     

    }

     

    }

     

    when SERVER_CONNECTED {

     

    if {[TCP::remote_port] != 443} {

     

    {SSL::disable}

     

    }

     

    }

     

     

    Thanks for the help.
  • James_Thomson's avatar
    James_Thomson
    Icon for Employee rankEmployee
    Dec 09, 2004
    With that last part, it got rid of the error and worked:

     

     

    when HTTP_REQUEST {

     

    if {[HTTP::uri] contains "index3"} {

     

    pool server2

     

    }

     

    }

     

    when SERVER_CONNECTED {

     

    if {[TCP::remote_port] != 443} {

     

    {SSL::disable}

     

    }

     

    }

     

     

    Thanks for the help.