Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

lmalafati_54233's avatar
lmalafati_54233
Icon for Nimbostratus rankNimbostratus
Dec 01, 2010

SSL Offload and redirect pools

Hi All,     I have the follow scenario and I would like know If there are one way to try to solve this using iRules.       The condition is...one VS that responds on https using ssl off...
application delivery
dev
devops
irules
Daniel_Alves_19's avatar
Daniel_Alves_19
Icon for Nimbostratus rankNimbostratus
Jun 29, 2017

Hi guys,

 

I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?

 

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 30, 2017

    I have the same issue, my VS on 443 port and pools with 80 port. Can I use the same irule ?

     

    Daniel,

     

    You don't even need an iRule in this case. This is just a simple VIP listening on port 443, with a client SSL profile and a pool that points to servers on port 80. The client SSL profile decrypts the SSL on the client side, and the lack of a server SSL profile allows that traffic to flow unencrypted to the servers.

     

  • Daniel_Alves_19's avatar
    Daniel_Alves_19
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2017

    Ok, I got it, but I have different backend pools with http port, so I need to forward traffic based on URI to those pools. How can I do this with iRule?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 30, 2017
    when HTTP_REQUEST {
    switch -glob [HTTP::uri] {
        "/foo*" { pool foo_pool }
        "/bar*" { pool bar_pool }
        "/blah*" { pool blah_pool }
        default { pool default_pool }
    }
}
  • Daniel_Alves_19's avatar
    Daniel_Alves_19
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2017

    Kevin,

     

    But http_request is a client side event where is encrypted or just it'll be executed after the certificate decrypt the packet?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 30, 2017

    If you have a client SSL profile applied to the VIP, traffic will be decrypted (OSI layer 6) and allow HTTP events to fire (layer 7).

     

  • Daniel_Alves_19's avatar
    Daniel_Alves_19
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2017

    Kevin,

     

    it´s working with the irule you gave me, the only strange thing I´ve seen is I need to a / at end of uri or does not work.

     

    Example: https://teste.domain.com/core/ (OK) https://teste.domain.com/core (Doesn´t work)

     

    My servers are using http port and I saw the location field on HTTP response header like below and it´s right, is there a way to change this that you know ?

     

    Location: "http://teste.domain.com/core/ Server: "Microsoft-IIS/8.5"

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 30, 2017

    Did you use the -glob option? That allows you to add a wildcard to the end of the pattern, so

    switch -glob [HTTP::uri] {
    "/core*" { pool core_pool }
}

    should match "/core" and "/core/", and "/core/foo", etc.

  • Daniel_Alves_19's avatar
    Daniel_Alves_19
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2017

    Yes, I am using wildcard, but I've seen that without final slash the server respond http://teste.domain.com, the http header location field has this value and doesn't connect.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 30, 2017

    I think you're suggesting that traffic gets to the correct pool member, but that the server itself requires the trailing /.

     

    Is that correct?