Hi All, I have the follow scenario and I would like know If there are one way to try to solve this using iRules. The condition is...one VS that responds on https using ssl offload and I need to redirect some uri to another pool and other condiction is keep the ssl conection for other URI. All others can be use the default pool on HTTP port. (Client) <--- HTTPS ----> (F5 SSL Offload) <--IF /siteA (HTTP) ----> Pool A (Server Side) <--IF /siteB (HTTP) ----> Pool B (Server Side) <--IF /siteC (HTTPS) ----> Pool B (Server Side) Is it possible? Thanks in advance! Leonardo

You should be able to use iRules for this. To confirm, siteB goes to Pool B:80 while siteC goes to Pool B:443?

Hi Chris, It's correct. Just to reminder the domain is the same: Ex. www.domain.com/siteA , www.domain.com/siteB and www.domain.com/siteC. Thanks. Leonardo

Thanks for doing the switch statement nitass! Which is the better option? Enabling the Server SSL profile on the Virtual Server and disabling it where necessary via iRule, or not enabling it on the Virtual Server, and enabling it where necessary via iRule?

Chris / Nitass, Thanks for your help! I will do the test with my sites and I return to you the result! Leonardo

SSL Offload and redirect pools

Chris_Miller
Altostratus
Dec 01, 2010
You should be able to use iRules for this.

To confirm, siteB goes to Pool B:80 while siteC goes to Pool B:443?
lmalafati_54233
Nimbostratus
Dec 02, 2010
Hi Chris,

It's correct. Just to reminder the domain is the same: Ex. www.domain.com/siteA , www.domain.com/siteB and www.domain.com/siteC.

Thanks.

Leonardo

nitass

Employee

Dec 02, 2010

i did a bit testing. pls feel free to revise.


virtual bar {
   snat automap
   destination 172.28.17.55:https
   ip protocol tcp
   rules myrule
   profiles
      clientssl
      http
      serverssl
      tcp
}
pool poola {
   members 10.10.70.110:http
}
pool poolb {
   members 10.10.70.120:http
}
pool poolb_https {
   members 10.10.70.120:https
}
rule myrule {
   when HTTP_REQUEST {
        switch -glob [HTTP::uri] {
                "/siteA*" {
                        SSL::disable serverside
                        pool poola
                }
                "/siteB*" {
                        SSL::disable serverside
                        pool poolb
                }
                "/siteC*" {
                        pool poolb_https
                }
                default {
                         do something
                }
        }
}
}

just want to show connection could be established.


 curl -Ik https://172.28.17.55/siteA
HTTP/1.1 404 Not Found
Date: Thu, 02 Dec 2010 04:46:55 GMT
Server: Apache/2.0.59 (rPath)
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

 curl -Ik https://172.28.17.55/siteB
HTTP/1.1 404 Not Found
Date: Thu, 02 Dec 2010 04:46:58 GMT
Server: Apache/2.0.59 (rPath)
Content-Type: text/html; charset=iso-8859-1

 curl -Ik https://172.28.17.55/siteC
HTTP/1.1 404 Not Found
Date: Thu, 02 Dec 2010 04:46:59 GMT
Server: Apache/2.0.59 (rPath)
Content-Type: text/html; charset=iso-8859-1

Chris_Miller
Altostratus
Dec 02, 2010
Thanks for doing the switch statement nitass!

Which is the better option? Enabling the Server SSL profile on the Virtual Server and disabling it where necessary via iRule, or not enabling it on the Virtual Server, and enabling it where necessary via iRule?
lmalafati_54233
Nimbostratus
Dec 02, 2010
Chris / Nitass,

Thanks for your help!

I will do the test with my sites and I return to you the result!

Leonardo

hooleylist

Cirrostratus

Dec 02, 2010

As Chris said, you can use an iRule to selectively disable the server SSL profile. See the SSL::disable wiki page for an example:

http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__disable


when HTTP_REQUEST {
  set usessl 0
  if { [string tolower [HTTP::uri]] starts_with "/secure" } {
    pool ssl__pool
    set usessl 1
  } else {
    pool static_pool
    set usessl 0
  }
}
when SERVER_CONNECTED {
  if { $usessl == 0 } {
    SSL::disable
  }
}

Aaron

Daniel_Alves_19
Nimbostratus
Jun 29, 2017
Hi guys,

I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?
- Kevin_Stewart
  Employee
  Jun 30, 2017
  I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?
  
  Daniel,
  
  You don't even need an iRule in this case. This is just a simple VIP listening on port 443, with a client SSL profile and a pool that points to servers on port 80. The client SSL profile decrypts the SSL on the client side, and the lack of a server SSL profile allows that traffic to flow unencrypted to the servers.
- Daniel_Alves_19
  Nimbostratus
  Jun 30, 2017
  Ok, I got it, but I have different backend pools with http port, so I need to forward traffic based on URI to those pools. How can I do this with iRule?
- Kevin_Stewart
  Employee
  Jun 30, 2017
  when HTTP_REQUEST { switch -glob [HTTP::uri] { "/foo*" { pool foo_pool } "/bar*" { pool bar_pool } "/blah*" { pool blah_pool } default { pool default_pool } } }

Forum Discussion

SSL Offload and redirect pools

Recent Discussions

Outlook application issue

Why does WAF block HTTP OPTION method

Rewriting Location Header in iRule

HA Configuration (One in primary and One in DR)

Sending a trusted certificate to server

Related Content

Anchor Link Redirect

HTTPS offload rewriting

Traffic Policy vs iRule Pool Redirect

iRule cookie persistence and pool redirect

SSL Offloading for specific IPs or range of IPs