Forum Discussion

T_Rajneesh's avatar
T_Rajneesh
Icon for Nimbostratus rankNimbostratus
Jun 19, 2019

SSL issue "Server throwing SSL exceptions"

Hi,

We have a setup where a request comes from Imperva to F5 will come as https but when sending request downstream to pool F5-> WCS, we are getting error. Possible the request needs to be modified to Http that should possibly resolve the issue.  Currently when request is coming as HTTPS to backend server throwing SSL exceptions.

Is there a way, we can write a in irule to send traffic coming as https to backend server with http ?

 

Thank you

  • Perfect!

     

    Please, don't forget to score my answer (or marking as "the best") if it was helpful for you ;-)

  • Hello.

    When you have a configuration like this in your virtual server

    Client SSL profile: yes

    Server SSL profile: none

    You are already sending traffic offloaded to the backend server.

    KR,

    Dario.

    • T_Rajneesh's avatar
      T_Rajneesh
      Icon for Nimbostratus rankNimbostratus
      Hi Dario, We have VIP with both Client & Server SSL ​ offloading but here we have an I rule attached to this VIP, stating to send the request to other pool not associated to this VIP whose node/ server listening in port 3737 ​ example VIP Test..443 Pool abc​. Server 1 -443​ Server 2-443 ​ But irule attached in this VIP to sent traffic to Pool xyx Server 3-3737​
      • Dario_Garrido's avatar
        Dario_Garrido
        Icon for MVP rankMVP

        You can have a VS with both SSL profiles (client & server) and desactivate one of them using an iRule (or even better a policy).

        One example:

        >> VS

        ltm virtual VS-TEST_443 {
            destination 10.1.1.1:https
            ip-protocol tcp
            mask 255.255.255.255
            pool P-ABC_443
            profiles {
                clientssl {
                    context clientside
                }
                http { }
                serverssl {
                    context serverside
                }
                tcp { }
            }
            source 0.0.0.0/0
            source-address-translation {
                type automap
            }
            translate-address enabled
            translate-port enabled
        }

        >> RULE

        when HTTP_REQUEST {
            if { [HTTP::host] equals "url.com"}{
                SSL::disable serverside
                pool P-XYZ_3737
            }
        }

        IMPORTANT: the communication to the backend P-XYZ_3737 should have to be using HTTP (not HTTPS), to avoid errors.

        KR,

        Dario.

  • HI Dario,

     

    Can you please help me here, we are still getting error when accessing website.. Only it works when port 80 is enabled on server. But actual server listening on port 3737.

     

    is it possible to write i-rule to send request to backend pool with port 3737 ?

     

    Thanking you in advance.

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP

      Actually, the irule is already configured to send the traffic to the backend with port 3737 when the hostname matches "url.com".

      If you are using encryption, you should not disable SSL server profile.

      Hope this helps

      KR,

      Dario.

      • T_Rajneesh's avatar
        T_Rajneesh
        Icon for Nimbostratus rankNimbostratus
        Thanks for prompt reply Dario. Server is not listening on port 443. SSL disable is fine. Server/application owner enabled only port 3737 & expected to access application on port 3737 only. But it was not working with given irule unless they enable port 80 on Server. Not sure if request coming to F5 is on port 80 or 3737. Is it possible to enable port 3737 after SSL client side offloading & send request to back end server assuming request presently coming to F5 in port 80