Forum Discussion

lmalafati_54233's avatar
lmalafati_54233
Icon for Nimbostratus rankNimbostratus
Dec 01, 2010

SSL Offload and redirect pools

Hi All,

 

 

I have the follow scenario and I would like know If there are one way to try to solve this using iRules.

 

 

 

The condition is...one VS that responds on https using ssl offload and I need to redirect some uri to another pool and other condiction is keep the ssl conection for other URI. All others can be use the default pool on HTTP port.

 

 

 

(Client) <--- HTTPS ----> (F5 SSL Offload) <--IF /siteA (HTTP) ----> Pool A (Server Side)

 

<--IF /siteB (HTTP) ----> Pool B (Server Side)

 

<--IF /siteC (HTTPS) ----> Pool B (Server Side)

 

 

 

Is it possible?

 

 

 

Thanks in advance!

 

 

Leonardo

16 Replies

  • You should be able to use iRules for this.

     

     

    To confirm, siteB goes to Pool B:80 while siteC goes to Pool B:443?
  • Hi Chris,

     

     

    It's correct. Just to reminder the domain is the same: Ex. www.domain.com/siteA , www.domain.com/siteB and www.domain.com/siteC.

     

     

     

    Thanks.

     

    Leonardo

     

     

  • i did a bit testing. pls feel free to revise.

    
    virtual bar {
       snat automap
       destination 172.28.17.55:https
       ip protocol tcp
       rules myrule
       profiles
          clientssl
          http
          serverssl
          tcp
    }
    pool poola {
       members 10.10.70.110:http
    }
    pool poolb {
       members 10.10.70.120:http
    }
    pool poolb_https {
       members 10.10.70.120:https
    }
    rule myrule {
       when HTTP_REQUEST {
            switch -glob [HTTP::uri] {
                    "/siteA*" {
                            SSL::disable serverside
                            pool poola
                    }
                    "/siteB*" {
                            SSL::disable serverside
                            pool poolb
                    }
                    "/siteC*" {
                            pool poolb_https
                    }
                    default {
                             do something
                    }
            }
    }
    }
    

    just want to show connection could be established.

    
     curl -Ik https://172.28.17.55/siteA
    HTTP/1.1 404 Not Found
    Date: Thu, 02 Dec 2010 04:46:55 GMT
    Server: Apache/2.0.59 (rPath)
    Vary: Accept-Encoding
    Content-Type: text/html; charset=iso-8859-1
    
     curl -Ik https://172.28.17.55/siteB
    HTTP/1.1 404 Not Found
    Date: Thu, 02 Dec 2010 04:46:58 GMT
    Server: Apache/2.0.59 (rPath)
    Content-Type: text/html; charset=iso-8859-1
    
     curl -Ik https://172.28.17.55/siteC
    HTTP/1.1 404 Not Found
    Date: Thu, 02 Dec 2010 04:46:59 GMT
    Server: Apache/2.0.59 (rPath)
    Content-Type: text/html; charset=iso-8859-1
    
  • Thanks for doing the switch statement nitass!

     

     

    Which is the better option? Enabling the Server SSL profile on the Virtual Server and disabling it where necessary via iRule, or not enabling it on the Virtual Server, and enabling it where necessary via iRule?
  • Chris / Nitass,

     

     

    Thanks for your help!

     

    I will do the test with my sites and I return to you the result!

     

     

    Leonardo

     

     

  • As Chris said, you can use an iRule to selectively disable the server SSL profile. See the SSL::disable wiki page for an example:

    http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__disable

    
    when HTTP_REQUEST {
      set usessl 0
      if { [string tolower [HTTP::uri]] starts_with "/secure" } {
        pool ssl__pool
        set usessl 1
      } else {
        pool static_pool
        set usessl 0
      }
    }
    when SERVER_CONNECTED {
      if { $usessl == 0 } {
        SSL::disable
      }
    }
    

    Aaron
  • Hi guys,

     

    I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee

      I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?

       

      Daniel,

       

      You don't even need an iRule in this case. This is just a simple VIP listening on port 443, with a client SSL profile and a pool that points to servers on port 80. The client SSL profile decrypts the SSL on the client side, and the lack of a server SSL profile allows that traffic to flow unencrypted to the servers.

       

    • Daniel_Alves_19's avatar
      Daniel_Alves_19
      Icon for Nimbostratus rankNimbostratus

      Ok, I got it, but I have different backend pools with http port, so I need to forward traffic based on URI to those pools. How can I do this with iRule?

       

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      when HTTP_REQUEST {
          switch -glob [HTTP::uri] {
              "/foo*" { pool foo_pool }
              "/bar*" { pool bar_pool }
              "/blah*" { pool blah_pool }
              default { pool default_pool }
          }
      }