Forum Discussion
TWSS_18275
Nimbostratus
NimbostratusSSL / Non-SSL Same VIP
I would like to have one VIP that can handle both secure and non-secure traffic. I have found and implemented the rule at: http://devcentral.f5.com/wiki/default.aspx/iRules/HttpHttpsSingleVirtualServer.html and I am having a small problem. Non-secure traffic works without a problem, but secure traffic does not. I get no response back.
Here's the modified rule:
when RULE_INIT {
Define virtual server ports that should have SSL enabled
set ::vip_https_ports [list \
443 \
]
Define virtual server ports that should be answered with HTTP
set ::vip_http_ports [list \
80 \
]
Set this option to 1 to log debug messages (to /var/log/ltm by default)
set ::debug 1
}
when CLIENT_ACCEPTED {
If debug is enabled, print a start marker
if {$::debug}{log local0. "---------------------------- Start ---------------------------- "}
if {$::debug}{log local0. "Pool Selected: [LB::server pool] "}
set ::non_secure_pool [string trim [LB::server pool] s]
if {$::debug}{log local0. "Http Pool: $::non_secure_pool"}
if { ([matchclass [TCP::local_port] equals $::vip_https_ports]) }{
Request was to an HTTPS port, so do nothing for the clientside connection.
The defined client and/or server SSL profiles will be applied as normal
if {$::debug}{log local0. "HTTPS request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
log an error if the virtual server doesn't have a client SSL profile, but receives an SSL request
if {[PROFILE::exists clientssl] == 0}{
if {$::debug}{log local0. "ERROR: client connection received from [IP::client_addr] on port [TCP::local_port], but no client SSL profile is enabled on [IP::local_addr]"}
reject
}
if {$::debug}{log local0. "HTTPS Pool Selected: [LB::server pool] "}
} elseif {([matchclass [TCP::local_port] equals $::vip_http_ports]) }{
Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP
if {$::debug}{log local0. "HTTP request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
Check to see if there is a client SSL profile and if so, disable it
if { [PROFILE::exists clientssl] == 1} {
if {$::debug}{log local0. "Client SSL profile enabled on VIP. Disabling SSL"}
set disable_cmd "SSL::disable"
eval $disable_cmd
}
}
else {
Request wasn't to a defined port, so reset it
if {$::debug}{log local0. "Dropping request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
reject
}
}
when HTTP_RESPONSE {
if {$::debug}{log local0. "Outgoing from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
}
Anything that I am missing?
- You also need to be sure that you have a Client SSL profile set up for the virtual in question. Since this rule effectively does nothing for traffic that's deemed HTTPS, you need to have the default configuration set up for SSL traffic. The iRule will then shut off that profile if it detects HTTP traffic.
Did you try that? Is there any information showing up in the logs?
Colin 
TWSS_18275Yes, here's the vip:
virtual vip_2xx.xxx.xxx.xxx_http_s {
destination 2xx.xxx.xxx.xxx:any
ip protocol tcp
profile http secure.sitename.com tcp
persist cookie
pool pool_route_testing_http
rule combine_http_https
combine_http_https_header
}
and here's the log entries:
Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : ---------------------------- Start ----------------------------
Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : Pool Selected: pool_route_testing_https
Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : Http Pool: pool_route_testing_http
Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : HTTPS request from x.x.x.x to x.x.x.x:443
Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : ---------------------------- Start ----------------------------
Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : Pool Selected: pool_route_testing_https
Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : Http Pool: pool_route_testing_http
Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : HTTP request from x.x.x.x to x.x.x.x:80
Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : Client SSL profile enabled on VIP. Disabling SSL- hoolio
Cirrostratus
Hi,
What are you trying to do with the https pool? Do you want/need to have HTTPS requests sent to an HTTPS pool? The Codeshare example was designed to use a single HTTP pool. You could specify an HTTPS pool in the rule using the pool command (Click here). You'd need to add a server SSL profile to the VIP and disable that in addition to the client SSL profile for HTTP requests.
With two different pools, the cookie persistence profile would no longer work as it does with one pool, as the pool definition (and persistence value in the cookie) would change the client goes from HTTP to HTTPS. I suppose you could use a single pool to do the member selection (and persistence) and then set the port using the node command (Click here) in the LB_SELECTED event. I'm not 100% sure on this methodology though.
Aaron - hoolioWhat are you trying to accomplish by using the rule? Previously it's been used to minimize the number of objects in the config--but also to support cookie persistence across HTTP and HTTPS requests. If you want to use HTTPS on the server side for client requests over HTTPS and HTTP for client side HTTP requests and support cookie persistence, you wouldn't be able to use two different pools.
Can you post the config for the two pools? Also, what's "combine_http_https_header"? Lastly, the request shouldn't be getting to the pool_route_testing_http, as it's not listed as the default pool on the VIP or being selected in the rule using the pool command.
Maybe if you can provide more detail on what you're trying to accomplish and a bit more detail on the current configuration we can work out a solution that will work.
Aaron - hoolioI'm curious about this. If you're willing to, can you email me at hooleylists at gmail dot com?
Aaron 
hatem_h_35533hello,
I'm new with this technology, and not sure that my question is the same as yours, but i need a help for this problem :
i need to install a SSL traffic on an existing VIP, without loosing the http access.
some clients <---https---->F5<----http---> server
and
the rest of clients<---http---->F5 <----http--->the same server
so i make these :
- create a new VS (app_https_vs) with the same IP but listen on the 443
- install a SSL certificate
- create SSL_client_profile based on this certificate
- use this profile on the new created VS, (without SSL server profile)
- write a iRule (that i found on this forum) like this :
when CLIENT_ACCEPTED {
pool decibel_rct_http_pool;
}
the problem is that after login page the tafic became on http
and i got a blank page !?!..
any one have an idea about this ?
NB : the server is an iPlanet using Siebel plugin.
thanks for help,
hatem- hoolioHi Hatem,
It sounds like you're implementing a pretty standard configuration with separate VIPs for HTTP and HTTPS. What you've described sounds correct. Though, you shouldn't need an iRule to select the decibel_rct_http_pool. You can just assign the pool as the default pool on the VIP.
Also, if the HTTP VIP was working prior to adding the HTTPS VIP, no changes should be necessary to the HTTP VIP. If you remove the iRule and specify the pool, but the requests fail, can you post an anonymized copy of the VIPs and pools from the /config/bigip.conf file?
Lastly, if the initial request to the HTTPS VIP is being redirected to HTTP, you can enable rewrite redirects on the HTTP profile. You can create a custom HTTP profile, modify the rewrite redirects option and then select this for the HTTPS VIP. You can check the online help for details on the different rewrite redirects options.
Thanks,
Aaron