Forum Discussion
T_Rajneesh
Nimbostratus
NimbostratusSSL issue "Server throwing SSL exceptions"
Hi,
We have a setup where a request comes from Imperva to F5 will come as https but when sending request downstream to pool F5-> WCS, we are getting error. Possible the request needs to be modified to Http that should possibly resolve the issue. Currently when request is coming as HTTPS to backend server throwing SSL exceptions.
Is there a way, we can write a in irule to send traffic coming as https to backend server with http ?
Thank you
Perfect!
Please, don't forget to score my answer (or marking as "the best") if it was helpful for you ;-)
Hello.
When you have a configuration like this in your virtual server
Client SSL profile: yes
Server SSL profile: none
You are already sending traffic offloaded to the backend server.
KR,
Dario.
T_RajneeshHi Dario, We have VIP with both Client & Server SSL offloading but here we have an I rule attached to this VIP, stating to send the request to other pool not associated to this VIP whose node/ server listening in port 3737 example VIP Test..443 Pool abc. Server 1 -443 Server 2-443 But irule attached in this VIP to sent traffic to Pool xyx Server 3-3737You can have a VS with both SSL profiles (client & server) and desactivate one of them using an iRule (or even better a policy).
One example:
>> VS
ltm virtual VS-TEST_443 { destination 10.1.1.1:https ip-protocol tcp mask 255.255.255.255 pool P-ABC_443 profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }>> RULE
when HTTP_REQUEST { if { [HTTP::host] equals "url.com"}{ SSL::disable serverside pool P-XYZ_3737 } }IMPORTANT: the communication to the backend P-XYZ_3737 should have to be using HTTP (not HTTPS), to avoid errors.
KR,
Dario.
- T_Rajneesh
Thanks Dario. You suggestion worked !!
- T_Rajneesh
HI Dario,
Can you please help me here, we are still getting error when accessing website.. Only it works when port 80 is enabled on server. But actual server listening on port 3737.
is it possible to write i-rule to send request to backend pool with port 3737 ?
Thanking you in advance.
Actually, the irule is already configured to send the traffic to the backend with port 3737 when the hostname matches "url.com".
If you are using encryption, you should not disable SSL server profile.
Hope this helps
KR,
Dario.
- T_RajneeshThanks for prompt reply Dario. Server is not listening on port 443. SSL disable is fine. Server/application owner enabled only port 3737 & expected to access application on port 3737 only. But it was not working with given irule unless they enable port 80 on Server. Not sure if request coming to F5 is on port 80 or 3737. Is it possible to enable port 3737 after SSL client side offloading & send request to back end server assuming request presently coming to F5 in port 80
