Forum Discussion
AjayPra_161698
Nimbostratus
NimbostratusSSL offloading for https traffic
Scenario:
Nodes:Node1,Node2,Node3
Pool:Node1,Node2
Virtual Server:ABC
VIP 1.1.1.1
Port any
SSL offloading is configured on LTM with clientssl profile attached to the virtual server.There is single Virtual Server with VIP:ANY configuration. Same Virtual server will server both http and https traffic.
Since clientssl profile is attached to virtual servre will it cause any issue to http traffic to same VS.
Client traffic http to VS 1.1.1.1
Client traffic https to VS 1.1.1.1
18 Replies
shaggywhy not set up a second VS with ssl profiles for SSL traffic? you could use the same pool and VIP, just need ABC:443.
AjayPra_161698Hi shaggy, I would have recommended that but it is recommended by someone may be to have lesser number of virtual servers on LTM's.
Regrds
shaggy_121467Cumulonimbus
The following rule will disable SSL processing if the port is not 443. The client-ssl/server-ssl profiles will still be assigned in the virtual server config
when CLIENT_ACCEPTED { if { [TCP::local_port clientside] != 443} { SSL::disable clientside SSL::disable serverside } }- AjayPra_161698Thanks a lot shaggy My intension to do ssl off loading is to match the user agent value in http header for which I have irule as following .It seems I have to club the irule which you have provided and the one as below. when HTTP_REQUEST { set uagent [string tolower [HTTP::header User-Agent]] if { $uagent contains "msie6" or $uagent contains "msie7" or $uagent contains "msie8" or $uagent contains "mozilla/4.0"}{ pool pool1 } else { pool pool2 } }
- shaggy_121467you should be able to do all of that in one iRule. Add your HTTP_REQUEST event stanza after the CLIENT_ACCEPTED event stanza
- shaggy
The following rule will disable SSL processing if the port is not 443. The client-ssl/server-ssl profiles will still be assigned in the virtual server config
when CLIENT_ACCEPTED { if { [TCP::local_port clientside] != 443} { SSL::disable clientside SSL::disable serverside } }- AjayPra_161698Thanks a lot shaggy My intension to do ssl off loading is to match the user agent value in http header for which I have irule as following .It seems I have to club the irule which you have provided and the one as below. when HTTP_REQUEST { set uagent [string tolower [HTTP::header User-Agent]] if { $uagent contains "msie6" or $uagent contains "msie7" or $uagent contains "msie8" or $uagent contains "mozilla/4.0"}{ pool pool1 } else { pool pool2 } }
- shaggyyou should be able to do all of that in one iRule. Add your HTTP_REQUEST event stanza after the CLIENT_ACCEPTED event stanza
- AjayPra_161698
Hi Shaggy ,
Can you help me to club this irule?
- shaggy_121467
do you mean combine? should be as simple as:
when CLIENT_ACCEPTED { if { [TCP::local_port clientside] != 443} { SSL::disable clientside SSL::disable serverside } } when HTTP_REQUEST { set uagent [string tolower [HTTP::header User-Agent]] if { $uagent contains "msie6" or $uagent contains "msie7" or $uagent contains "msie8" or $uagent contains "mozilla/4.0"}{ pool pool1 } else { pool pool2 } }- AjayPra_161698thanks shaggy . so with this irule. For http traffic on VS VIP:Any http traffic will not be affected due to ssl profile .. and pool will be selected based on useragent value. For https traffic . Client Side SSL traffic offloading will be done and pool will be selected based on the http header useragent value ?
- shaggy_121467that's how it should work. i didn't test it out, so it may be worth checking in a test environment before putting it into production
- AjayPra_161698Hi Shaggy, I came across Non-SSL Connections setting on client ssl profile.I think with this setting we needn't to disable ssl for non https traffic Accepting non-SSL connections Using the Non-SSL Connections setting, you can configure the BIG-IP system to accept connections that are not SSL connections. In this case, connections pass through the BIG-IP system in clear-text format. By default, this setting is disabled. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_ssl_profiles.html
- shaggy
do you mean combine? should be as simple as:
when CLIENT_ACCEPTED { if { [TCP::local_port clientside] != 443} { SSL::disable clientside SSL::disable serverside } } when HTTP_REQUEST { set uagent [string tolower [HTTP::header User-Agent]] if { $uagent contains "msie6" or $uagent contains "msie7" or $uagent contains "msie8" or $uagent contains "mozilla/4.0"}{ pool pool1 } else { pool pool2 } }- AjayPra_161698thanks shaggy . so with this irule. For http traffic on VS VIP:Any http traffic will not be affected due to ssl profile .. and pool will be selected based on useragent value. For https traffic . Client Side SSL traffic offloading will be done and pool will be selected based on the http header useragent value ?
- shaggythat's how it should work. i didn't test it out, so it may be worth checking in a test environment before putting it into production
- AjayPra_161698Hi Shaggy, I came across Non-SSL Connections setting on client ssl profile.I think with this setting we needn't to disable ssl for non https traffic Accepting non-SSL connections Using the Non-SSL Connections setting, you can configure the BIG-IP system to accept connections that are not SSL connections. In this case, connections pass through the BIG-IP system in clear-text format. By default, this setting is disabled. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_ssl_profiles.html
- AjayPra_161698 why not set up a second VS with ssl profiles for SSL traffic? you could use the same pool and VIP, just need ABC:443. shaggy 3 minutes ago by shaggy 1392 Add Comment 0 Hi shaggy, I would have recommended that but it is recommended by someone may be to have lesser number of virtual servers on LTM's.
