Forum Discussion
lmalafati_54233
Nimbostratus
NimbostratusSSL Offload and redirect pools
Hi All,
I have the follow scenario and I would like know If there are one way to try to solve this using iRules.
The condition is...one VS that responds on https using ssl offload and I need to redirect some uri to another pool and other condiction is keep the ssl conection for other URI. All others can be use the default pool on HTTP port.
(Client) <--- HTTPS ----> (F5 SSL Offload) <--IF /siteA (HTTP) ----> Pool A (Server Side)
<--IF /siteB (HTTP) ----> Pool B (Server Side)
<--IF /siteC (HTTPS) ----> Pool B (Server Side)
Is it possible?
Thanks in advance!
Leonardo
16 Replies
- Chris_Miller
Altostratus
You should be able to use iRules for this.
To confirm, siteB goes to Pool B:80 while siteC goes to Pool B:443? 
lmalafati_54233Hi Chris,
It's correct. Just to reminder the domain is the same: Ex. www.domain.com/siteA , www.domain.com/siteB and www.domain.com/siteC.
Thanks.
Leonardo- nitass
Employee
i did a bit testing. pls feel free to revise.virtual bar { snat automap destination 172.28.17.55:https ip protocol tcp rules myrule profiles clientssl http serverssl tcp } pool poola { members 10.10.70.110:http } pool poolb { members 10.10.70.120:http } pool poolb_https { members 10.10.70.120:https } rule myrule { when HTTP_REQUEST { switch -glob [HTTP::uri] { "/siteA*" { SSL::disable serverside pool poola } "/siteB*" { SSL::disable serverside pool poolb } "/siteC*" { pool poolb_https } default { do something } } } }
just want to show connection could be established.curl -Ik https://172.28.17.55/siteA HTTP/1.1 404 Not Found Date: Thu, 02 Dec 2010 04:46:55 GMT Server: Apache/2.0.59 (rPath) Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 curl -Ik https://172.28.17.55/siteB HTTP/1.1 404 Not Found Date: Thu, 02 Dec 2010 04:46:58 GMT Server: Apache/2.0.59 (rPath) Content-Type: text/html; charset=iso-8859-1 curl -Ik https://172.28.17.55/siteC HTTP/1.1 404 Not Found Date: Thu, 02 Dec 2010 04:46:59 GMT Server: Apache/2.0.59 (rPath) Content-Type: text/html; charset=iso-8859-1 - Chris_MillerThanks for doing the switch statement nitass!
Which is the better option? Enabling the Server SSL profile on the Virtual Server and disabling it where necessary via iRule, or not enabling it on the Virtual Server, and enabling it where necessary via iRule? - lmalafati_54233Chris / Nitass,
Thanks for your help!
I will do the test with my sites and I return to you the result!
Leonardo 
hoolioCirrostratus
As Chris said, you can use an iRule to selectively disable the server SSL profile. See the SSL::disable wiki page for an example:
http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__disablewhen HTTP_REQUEST { set usessl 0 if { [string tolower [HTTP::uri]] starts_with "/secure" } { pool ssl__pool set usessl 1 } else { pool static_pool set usessl 0 } } when SERVER_CONNECTED { if { $usessl == 0 } { SSL::disable } }
Aaron
Daniel_Alves_19Hi guys,
I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?
- Kevin_Stewart
I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?
Daniel,
You don't even need an iRule in this case. This is just a simple VIP listening on port 443, with a client SSL profile and a pool that points to servers on port 80. The client SSL profile decrypts the SSL on the client side, and the lack of a server SSL profile allows that traffic to flow unencrypted to the servers.
- Daniel_Alves_19
Ok, I got it, but I have different backend pools with http port, so I need to forward traffic based on URI to those pools. How can I do this with iRule?
- Kevin_Stewart
when HTTP_REQUEST { switch -glob [HTTP::uri] { "/foo*" { pool foo_pool } "/bar*" { pool bar_pool } "/blah*" { pool blah_pool } default { pool default_pool } } }
