Forum Discussion
fita_30888
Nimbostratus
Nimbostratusserverside SSL
Hi there,
I have a customer with a weird requirement. They have an application server that only supports HTTP communication. However for one reason or another they need this server to be able to talk to a HTTPS server. Put it in other words they have a HTTP client who needs to talk to HTTPS server.
My idea was that I'll put Virtual server with serverside SSL profile and it would work. The question is it possible to use server side ssl without having client side using SSL as well?
thanks
hoolioCirrostratus
That should work fine. If the web app uses absolute references to https:// in response headers or content, you might need to rewrite them to http://. But give it a shot first and see if it works as is.
Aaron
fita_30888Cheers for the reassurance! The confguide says "re-encrypting a decrypted request" so I was in doubts. As for the replace would an iRule with switch do the job?
thanks- hoolioRe-encrypting a decrypted request is the most common (not not only) use case for server SSL. If you need to rewrite the response headers, you could use 'HTTP::header replace'. For response content, you could use a blank stream profile and a STREAM::expression iRule.
Here are a few examples:
http://devcentral.f5.com/wiki/default.aspx/iRules/RewriteHTTPRedirectHostname.htmlwhen HTTP_RESPONSE { Check if server response is a redirect if { [HTTP::header is_redirect]} { Log original and updated values log local0. "Original Location header value: [HTTP::header value Location],\ updated: [string map -nocase "https:// http://" [HTTP::header value Location]]" Do the update, replacing https:// with http:// HTTP::header replace Location [string map -nocase "https:// http://" [HTTP::header value Location]] } }
And for payload rewriting:
http://devcentral.f5.com/wiki/default.aspx/iRules/STREAM__expression.htmlwhen HTTP_RESPONSE { Disable the stream filter by default STREAM::disable Check if response type is text if {[HTTP::header value Content-Type] contains "text"}{ Replace https:// with http:// STREAM::expression "@https://@http://@" Enable the stream filter for this response only STREAM::enable } }
As the payload size would change for the stream iRule rewrite, you'll need to set the HTTP profile option for chunking to rechunk.
Again, I'd suggest you try the scenario without iRules to start with. It's quite possible you won't need any iRules.
Aaron - fita_30888Hello again,
we have tested it but, we've only got success when the virtual address is on :443. As the requests are coming on :80 I was thinking of inserting the port to request via something like this:
when HTTP_REQUEST {
if { not [HTTP::host] contains ":" } {
HTTP::header replace Host "[HTTP::host] : 443"
}
}
I'm trying to replace the :80 with :443 in this irule.
cheers - hoolioWhat fails when the VS is on port 80? Does the client get any response? Can you capture a tcpdump on LTM and use a browser plugin like HttpFox for FF or Fiddler for IE to see what's happening?
Aaron - fita_30888Hi,
I'll have it retested it later today get the tcpdump and look into http headers, as i'm un. when the VIP is on 80 and pool is on 443, than the client gets no response at all. it just opens tcp session, waits and eventually timesout. when they set the pool to 80 and vip with no serverside ssl they got through. and when they set the vip on 443 pool on 443 they get to the page. the LTM is running 9.4.x - fita_30888Aaron,
they had port translation disable on the VIP after enabling it everything works fine!
thanks for you help!