Squid, HTTPS / HTTP differentiation

Hello Everyone...

 

 

I am sure that someone somewhere out there has had similar experiences to me!

 

 

We have a number of HTTP/HTTPS Proxy Server Pools (SQUID) for which we would like to implement persistence.

 

 

All incoming client requests to the Proxy servers come to a fixed IP on port 80 (i.e. ALL HTTP and HTTPS).

 

 

I would like to implement an iRule to send all traffic destined for HTTPS sites to a pool of Proxy Servers using SSL Persistence and all traffic destined for non-encrypted / HTTP sites to use Cookie (Insert) persistence.

 

 

Obviously - This will not work as I am unable to see the HTTP Headers for the SSL traffic.

 

 

rule split_http_https_by_pool_v4 {

 

if ( exists http_header "SSL Session ID" ) {

 

use pool HTTPS_Pool }

 

else

 

{

 

use pool HTTP_Pool

 

}

 

 

I've also tried using the http_method as the differentiator but get SSL errors in /var/log/bigip....

 

 

iRule:

 

 

rule split_http_https_by_pool_v4 {

 

if (http_method matches_regex "CONNECT") {

 

log local0.info "https trigger"

 

use pool HTTPS_Pool

 

}

 

else {

 

use pool HTTP_Pool

 

}

 

 

bigip log errors:

 

Jul 5 18:14:56 BLAHBLAH kernel: RULE TEST_CONNECT - https trigger

 

Jul 5 18:14:56 BLAHBLAH kernel: SSL2: Message type is not a client hello

 

Jul 5 18:14:56 BLAHBLAH kernel: SSL3: Content type not a handshake.

 

 

Through this rule, HTTP sites work fine but HTTPS is broken.

 

 

I am finding it hard to find a generic way of differentiating between SSL and non-SSL traffic. Does anyone have any suggestions as to another approach I could use?

 

 

Many thanks in advance for any help / insight / assistance you are able to provide.

 

 

Cheers

 

 

SM