Forum Discussion
ssl and non SSL over the same VS
Hi,
How do I use iRule to determine the income TCP connection have SSL/TLS handshake, if there is SSL/TLS handshake then have Client-SSL profile and load balance to a specific Server Pool, if TCP connection do not have handshake then load balance to another Server Pool without Client-SSL profile.
The purpose of this requirement is there are some Mobile Handset that not support TLS and some new handset supported, customer would like to use a Single Virtual Server.
Does anyone can help me how the iRule determine the SSL/TLS Handshake over the TCP payload ?
The concept of the irule probably is :
When Client_accepted
{ get TCP Payload xxx Bytes } {
if { TCP payload == "HELLO SSL" } then
Client-ssl
pool ssl-offload-server
}
else
{ pool normal-server }
Many thanks.
- Unfortunately there isn't currently a way to directly read the TCP headers via an iRule. There is certain information made available, but the first point of collection that you can really perform in an iRule is a payload collection which, obviously, is going to be encrypted and useless if it's an SSL transaction.
Colin - It should be possible to inspect the contents of the first TCP packet that the client sends to see if it's SSL or not. Something like:
when CLIENT_ACCEPTED { TCP::collect 1 } when CLIENT_DATA { if { [TCP::payload] contains "SSL" } { pool SSL_pool } else { pool nonSSL_pool } }
They key is going to be determining how to differentiate between the two. I don't know what an SSL handshake packet looks like; you'll have to determine that on your own. Once you know, if you need help turning that information into an iRule, don't hesitate to post here for more assistance.
Good luck!
