Forum Discussion

mshoaib's avatar
mshoaib
Icon for Cirrus rankCirrus
Jun 04, 2020

Server SSL Profile - how to use selectively

Hi there,

 

I have a situation and wonder to check here if one came across the same.

 

I have a VIP listening on https with SSL Client profile configured with a valid SSL Certificate. This VIP divert traffic to several applications using iRules on clear text (http).

Recently, I have a new request to incorporate a new application to the same VIP/iRules but new application requires encrypted traffic (https).

 

I can enable the Server SSL on the VIP and make the new app happy but then it will break all the previous apps.

 

Is there a way to select Server SSL Profile in the iRules but only if certain conditions met ( URI , headers etc. ) and rest of the traffic don't use Server SSL profile at all.

 

LTM Version : 13.1.3

 

Any help or pointers are highly appreciated.

 

Thank you,

Muhammad

  • Hi Muhammad,

     

    Can you please share the details of your iRule and VIP

     

    There are 2 ways you can try accomplish this

     

    Method 1 - Using iRule

     

    You need to add a default ssl server profile or the required Server side SSL profile to your VIP. Then updatemy your irule to initially disable the server side ssl for all sites and then renable it on the website where you needed it on.

     

    1. when CLIENT_ACCEPTED {
    2. SSL::disable serverside
    3. }
    4.  
    5. when HTTP_REQUEST {
    6. switch [string tolower [HTTP::host]] {
    7. site1.website.com { pool site1.website.com_pool }
    8. site2.website.com { pool site2.website.com_pool }
    9. SSLsite3.website.com {
    10. SSL::enable serverside
    11. pool SSLsite3.website.com_pool
    12. }
    13. site4.website.com { pool site4.website.com_pool }
    14. default { reject }
    15. }
    16. }

     

    Method 2 - You can do easier since version 11.5 (feature is available in 11.4 but not working...) with Local traffic policies.

     

    Rule 1:

     

    • Condition :
    • action :
      • forward pool site1.website.com_pool
      • serverssl disable

    Rule 2:

     

    • Condition :
    • action :
      • forward pool site2.website.com_pool
      • serverssl disable

    Rule 3 (SSL Site):

     

    • Condition :
    • action :
      • forward pool site3.website.com_pool

     

    • mshoaib's avatar
      mshoaib
      Icon for Cirrus rankCirrus

      Hi Sachin-Garg,

      I have fairly long iRules but below I copied the compact version. This iRule attached to a VIP where ONLY client ssl profile has been applied but no server ssl.

      All the pools referenced are listening on port 80 and expecting clear text (non-ssl) traffic except for the pool "mxz" (line #8)

      This is a new application and needs ssl traffic continue all the way from the browser.

      I haven't used and explored "policies" on the LTM but really like the way you have mentioned to solve the problem.

      Are there any drawbacks using Policies instead of updating iRules in this case ?

      if this POC works then I have 500+ similar VIP/iRule combo that will embrace this change.

       
       
      when HTTP_REQUEST {
       
          if { [HTTP::uri] starts_with "/login/data" } {
              pool app8-web
          } elseif { [HTTP::uri] starts_with "/app/rs"} {
              pool mxz
          } elseif { [HTTP::uri] starts_with "/v2.2/esa/api" } {
              pool app9-esa
          } elseif { [HTTP::uri] starts_with "/v2.1/esa/api" } {
              pool app9-esa
          } elseif { ([HTTP::uri] starts_with "/login/v1") or ([HTTP::uri] starts_with "/login/rs" ) or ([HTTP::uri] starts_with "/login/api" )} {
              if { [HTTP::header value "Auth"] starts_with "Client"} {
                  HTTP::redirect "https://www.somedomain.com"
              }
              else {
                  pool login-app
              }
          }
      }
       
       
       
      when HTTP_RESPONSE {
       
        if { !([HTTP::header exists "X-Frame-Options"])} { HTTP::header insert X-Frame-Options "SAMEORIGIN" }
        if { !([HTTP::header exists "X-XSS-Protection"])} { HTTP::header insert X-XSS-Protection "1; mode=block" }
        if { !([HTTP::header exists "X-Content-Type-Options"])} { HTTP::header insert X-Content-Type-Options "nosniff" }
        if { !([HTTP::header exists "Content-Security-Policy"])} { HTTP::header insert Content-Security-Policy "frame-ancestors 'self' " }
        if { !([HTTP::header exists "Strict-Transport-Security"])} { HTTP::header insert "Strict-Transport-Security" "max-age=16070400; includeSubdomains" }
       
       
      }