Forum Discussion
Bartek_Krajnik_
Nimbostratus
Nimbostratusserverssl and ssl offloading (http to https)
Hi,
I'm trying to make ssl offloading on HTTP.
Request comes from client via HTTP and on F5 I'm trying to tunel it on HTTPS to the server.
For example client requests: http://www.f5.com and it comes via http to f5, then on F5 I make ssl connection to https://www.f5.com (client can view only http connection).
I created 2 virtualservers:
virtual virtualserver1 {
ip forward
destination any:any
mask none
vlans IN
OUT enable
}
virtual virtualserver2 {
pool nextrouter
destination any:80
mask none
ip protocol tcp
vlans IN enable
rules proxyit
profiles
serverssl
tcp
}
rule proxyit {
when CLIENT_ACCEPTED {
node U.X.Y.Z 443
}
}
Where U.X.Y.Z is IP address of interface where virtualserver1 listens (IN).
pool nextrouter has IP address of next gateway.
And now I can see packets, which comes in via IN interface, goes to virtualserver2 and that's all.
Directive "node U.X.Y.Z 443" doesn't send packets to IN interface.
Where can be the problem?
6 Replies
hoolioCirrostratus
I'm not sure this would work, but can you try changing the iRule to:when CLIENT_ACCEPTED { node [IP::local_addr] 443 }
Also, is it a limited set of destination hosts which can/will be requested through the wildcard VIP? If you do get this configuration working, I think you'll see failures when clients make an HTTP request to the VIP for a destination host which doesn't support SSL on port 443.
Aaron
Bartek_Krajnik_Trick with "node [IP::local_addr] 443 " doesn't work.
Regards redirected clients I will enable it only for a few domains which support SSL on port 443.
I still haven't any redirected packet after "node" directive. Any idea?
Thx a lot.- Bartek_Krajnik_Can it be a problem with different software version? I'm using 9.6.1 and somone told me, that upgrade to version 10 can help.
I can not upgrade it and strictly I need some solution on this version of software. - hoolioIf you remove the proxyit iRule and define the nextrouter pool member(s) on port 443 does it work? If not, do you see a server side connection attempted to the destination IP address?
I can't think of a reason it should matter if you're running 9.6.x versus 10.x for this.
Aaron - Bartek_Krajnik_If I add "forward" rule to iRule then it forwards packets.
Adding "SSL::enable serverside" also redirects traffic, but as I think then I need to rewrite URL (http->https) and dest_port (80->443).
I'm testing it just now. - Bartek_Krajnik_resolved:
rule proxyit {
when CLIENT_ACCEPTED {
SSL::enable serverside
node nextrouter 443
}
But up to now I don't understand why serverssl at the virtualserver directive didn't work.
