For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Devlin_T_149357's avatar
Devlin_T_149357
Sep 01, 2017

Set Server SSL Profile Based on URI

Hi all We have a need to set a specific Server SSL Profile based on the requested URI for a HTTPS VS. I have searched around and there appear to a number of example iRules that could/should do the ...
application delivery
iRules
LTM
ssl server profile
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 01, 2017

Hi Devlin,

you may take a look to the iRule I'm using to selectively change or even disable the Server SSL Profile for specific requests.

when HTTP_REQUEST {
    if { [HTTP::uri] equals "/uri1" } then {
         Switch Server SSL Profile to "/Common/SERVER-SSL-1"
        set Pool_SSL_Profile "/Common/SERVER-SSL-1"
    } elseif { [HTTP::uri] equals "/uri2" } then {
         Switch Server SSL Profile to "/Common/SERVER-SSL-2"
        set Pool_SSL_Profile "/Common/SERVER-SSL-2"
    } elseif { [HTTP::uri] equals "/uri3" } then {
         Disabling Server SSL Profile
        set Pool_SSL_Profile ""
    }
}
when SERVER_CONNECTED {

    
      Handler for Server SSL Profile Selection


     if { $debug } { log -noname local0. "--- Entering \"Server SSL_Selector\" SERVER_CONNECTED iRule ---" }
     if { $debug } { log -noname local0. "+++ Entering Server SSL Profile Selection Handler +++" }

    if { [PROFILE::exists serverssl] } then {

         if { $debug } { log -noname local0. "The Virtual Server \"[virtual]\" has a Server SSL Profile assigned." }

        if { $Pool_SSL_Profile eq "" } then {

             if { $debug } { log -noname local0. "The Request has no Server SSL Profile specified. Disabling the Server Side SSL Channel." }

            catch { SSL::disable serverside }

        } else {

             if { $debug } { log -noname local0. "The Request has an Server SSL Profile specified. Changing the SSL Profile to \"$Pool_SSL_Profile\"." }

            if { [catch { SSL::profile $Pool_SSL_Profile }] } then {

                log -noname local0. "!!!! Warning !!!! The Virtual Server \"[virtual]\" has selected the SSL profile \"$Pool_SSL_Profile\" but it does not exist. Disabling the Server Side SSL Channel. !!!! Warning !!!!"

                catch { SSL::disable serverside }

            } else {

                 if { $debug } { log -noname local0. "Enabling the Server Side SSL Channel." }

                catch { SSL::enable serverside }

            }

        }

    } else {

        log -noname local0. "!!!! Warning !!!! The Virtual Server \"[virtual]\" has no default SSL Server Profile assigned !!!! Warning !!!!"

    }

     if { $debug } { log -noname local0. "+++ Leaving SSL Profile Selection Handler +++" }
     if { $debug } { log -noname local0. "--- Leaving \"Server_SSL_Selector\" SERVER_CONNECTED iRule ---" }

}

Note: To use this iRule you have to assign a default Server SSL Profile to your Virtual Server (it could be a dummy profile). The reason for this is, that you can't change or assign a Server SSL Profiles if the Virtual Server don't have a default profile attached. Once the Virtual Server has a default Server SSL Profile configured, you could selectively disable the Server SSL Profile as needed by setting 

$Pool_SSL_Profile
to an empty string.

Cheers, Kai