Forum Discussion
NimbostratusSelective SSL offload based on URL
Hi All,
I have a Internet facing VIP on port 443 offering SSL offload for a number of URL's. It's since been discovered that one of these applications does not support SSL offload and it must do it itself. The question I have is, is it possible with an iRule or another method to selective SSL offload based on the URL? E.g. when traffic hits the VIP requesting URL "A" it gets decrypted on the F5 but if it requests URL "B" it gets passed straight to the pool?
Essentially I'm trying to avoid migrating this one troublesome application to a different VIP.
Thanks
Jay
6 Replies
natheCirrocumulus
Jay,
This should be doable in an iRule using SSL::disable.
See: https://devcentral.f5.com/wiki/iRules.ssl__disable.ashx
Should be a few examples on DC for SSL::disable to get you started.
Hope this helps, N
- Kevin_Stewart
Employee
Actually no, sort of. HTTP host and URI values are not visible until after SSL decryption. That said, if you're strictly talking about URI paths, then it's a hard NO. But if you're talking about host names, you could conceivably do this for TLS-based clients (clients that support the TLS protocol, which is usually anything greater than WinXP). Using an iRule to sniff the server_name extension field in a CLIENTHELLO message, you could persist to a pool and disable client side SSL offload.
Josh_Hill_17083I believe Kevin is correct, the host and uri are encrypted until the decryption takes place, so turning off ssl selectively is not possible. I am not sure how you have multiple urls on the same vip on 443 unless you are talking subdomains with a wildcard cert. I would be keen to see how you have done it as it would be extremely handy.
Anyway, i guess You could though run both a clientssl profile as well as a serverssl profile to the backend. The net effect should be the same but you would be able to access the hostname and uri on the bigip, as well as satisfying the applications need to expose itself as 443.
- Kevin_Stewart
I am not sure how you have multiple urls on the same vip on 443 unless you are talking subdomains with a wildcard cert. I would be keen to see how you have done it as it would be extremely handy.
Host-based load balancing of HTTPS resources can be accomplished in one of three ways: a single wildcard certificate applied to the client SSL profile, a single SAN certificate applied to the client SSL profile, or multiple SNI-based client SSL profiles applied to the VIP. A wildcard would encompass all potential subdomains, a SAN could encompass several non-related host names, and an SNI config would allow the LTM to switch between client SSL profiles based on the server_name extension in the TLS CLIENTHELLO message. All of these methods, however, require SSL offload to be able to do HTTP-based host/URI evaluation. The method I'm suggesting would allow TLS-capable clients to pass through without SSL offload given that the CLIENTHELLO message is unencrypted and visible in a TCP payload evaluation.
- Josh_Hill_17083
thanks Kevin! Handy indeed. Sorry off topic op.
swo0sh_gt_13163Altostratus
Hey Folks,
I am facing an issue while using the given iRule for SNI. The issue looks as the Pool associated with the VS has stopped considering the applied load balancing algorithm. (i.e. Least connection Members).
The Pool has 2 members within, and only one member is processing all the traffic coming to this VS. Any idea this can be caused by SNI iRule?
Thank you, Darshan
