Forum Discussion
Naman_65674
Nimbostratus
NimbostratusSSL command on non-SSL VIP
Hello,
I want to create an Irule which will be used by two VIPs, one which uses SSL and the other doesnt. Dont ask why but i want to do something like this:
if { [TCP::local_port] == "443" } {
catch { SSL::disable serverside }
}
but i get the following error when i try to associate the iRule to the Virtual Server:
SSL::disable in rule () requires an associated SERVERSSL or CLIENTSSL profile on the virtual server ()
Can anyone think of a workaround for this? I thought the catch statement would help but was unlucky with that one.
Thanks,
Naman
Nicolas_MenantEmployee
Hi,
The SSL::disable command works when the BIGIP is the SSL termination of the SSL flow.
In your configuration it must not be the case, the SSL flow is established between the client and the server.
This is for example when you process HTTP and HTTPS on the same virtual server:port
then you can do something like this:class http_methods { "GET” “POST” “HEAD” “PUT” } when CLIENT_ACCEPTED { TCP::collect 5 } when CLIENT_DATA { if { [matchclass [TCP::payload] starts_with $::http_methods] } { SSL::disable } }
This way if it's HTTPS you maintain your SSL configuration to make the BIGIP being the SSL termination with your client (ie it will talk in HTTPS) but if it's HTTP you receive then you disable your SSL profile to talk in HTTP only
N.
Naman_65674Thanks guys for your help. Aaron I tried your way and it worked great! Just wondering though, does it matter which event i call that in. I am currently doing it in HTTP_REQUEST..
Thanks,
Naman- It should function all right in HTTP_REQUEST, Naman, but it would be more efficient in CLIENT_ACCEPTED since it would only run once per connection rather than once per request.
Colin
