Forum Discussion

Devlin_T_149357's avatar
Devlin_T_149357
Sep 01, 2017

Set Server SSL Profile Based on URI

Hi all

We have a need to set a specific Server SSL Profile based on the requested URI for a HTTPS VS. I have searched around and there appear to a number of example iRules that could/should do the trick but I seem to be failing.

I have concocted this little gem based on an almagamation on my findings, however, it does not seem to work:

when HTTP_REQUEST {
set uri [HTTP::uri]
}
when SERVER_CONNECTED {
  if {$uri equals "/uri1" } {
    SSL::profile SERVER-SSL-1
  }
elseif {$uri equals "/uri2" } {
    SSL::profile SERVER-SSL-2
  }
}

I feel I'm probably missing something fundamental here. Any clues would be really helpful.

I have applied the default Server SSL profile to the VS as I believe this is required for SSL profile switching.

Thank you.

application delivery
iRules
LTM
ssl server profile
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 01, 2017

    Hi Devlin,

    you may take a look to the iRule I'm using to selectively change or even disable the Server SSL Profile for specific requests.

    when HTTP_REQUEST {
    if { [HTTP::uri] equals "/uri1" } then {
         Switch Server SSL Profile to "/Common/SERVER-SSL-1"
        set Pool_SSL_Profile "/Common/SERVER-SSL-1"
    } elseif { [HTTP::uri] equals "/uri2" } then {
         Switch Server SSL Profile to "/Common/SERVER-SSL-2"
        set Pool_SSL_Profile "/Common/SERVER-SSL-2"
    } elseif { [HTTP::uri] equals "/uri3" } then {
         Disabling Server SSL Profile
        set Pool_SSL_Profile ""
    }
}
when SERVER_CONNECTED {

    
      Handler for Server SSL Profile Selection


     if { $debug } { log -noname local0. "--- Entering \"Server SSL_Selector\" SERVER_CONNECTED iRule ---" }
     if { $debug } { log -noname local0. "+++ Entering Server SSL Profile Selection Handler +++" }

    if { [PROFILE::exists serverssl] } then {

         if { $debug } { log -noname local0. "The Virtual Server \"[virtual]\" has a Server SSL Profile assigned." }

        if { $Pool_SSL_Profile eq "" } then {

             if { $debug } { log -noname local0. "The Request has no Server SSL Profile specified. Disabling the Server Side SSL Channel." }

            catch { SSL::disable serverside }

        } else {

             if { $debug } { log -noname local0. "The Request has an Server SSL Profile specified. Changing the SSL Profile to \"$Pool_SSL_Profile\"." }

            if { [catch { SSL::profile $Pool_SSL_Profile }] } then {

                log -noname local0. "!!!! Warning !!!! The Virtual Server \"[virtual]\" has selected the SSL profile \"$Pool_SSL_Profile\" but it does not exist. Disabling the Server Side SSL Channel. !!!! Warning !!!!"

                catch { SSL::disable serverside }

            } else {

                 if { $debug } { log -noname local0. "Enabling the Server Side SSL Channel." }

                catch { SSL::enable serverside }

            }

        }

    } else {

        log -noname local0. "!!!! Warning !!!! The Virtual Server \"[virtual]\" has no default SSL Server Profile assigned !!!! Warning !!!!"

    }

     if { $debug } { log -noname local0. "+++ Leaving SSL Profile Selection Handler +++" }
     if { $debug } { log -noname local0. "--- Leaving \"Server_SSL_Selector\" SERVER_CONNECTED iRule ---" }

}

    Note: To use this iRule you have to assign a default Server SSL Profile to your Virtual Server (it could be a dummy profile). The reason for this is, that you can't change or assign a Server SSL Profiles if the Virtual Server don't have a default profile attached. Once the Virtual Server has a default Server SSL Profile configured, you could selectively disable the Server SSL Profile as needed by setting 

    $Pool_SSL_Profile
    to an empty string.

    Cheers, Kai