Forum Discussion
AltocumulusSSL Offloading for specific IPs or range of IPs
Something like this maybe (where offload_ips is a data-group with ip host and ip/mask as specified)
when CLIENT_ACCEPTED priority 500 { if {[class match -- [IP::client_addr] equals offload_ips]} { SSL::enable pool new_stack_cloud_application } else { SSL::disable pool on_premise_applications_servers } }JRahm, I beg to differ and offer a different solution. Not every problem requires an iRule to be solved. 🙂
I'd rather create two virtual servers, one with pool_A and SSL Bridging configured and another one with pool_B and SSL Passthrough, and make use of K14800: Order of precedence for virtual server matching.Order Destination Source Port 1 (host address) (network address) (port) 2 (host address) * (port) For the source you can use an Address List as described in this Manual article: Configuring Multiple IP Addresses and Service Ports for a Virtual Server. This would replace the datagroup for matching the source IP address(es).
KR
Daniel
AdminSomething like this maybe (where offload_ips is a data-group with ip host and ip/mask as specified)
when CLIENT_ACCEPTED priority 500 {
if {[class match -- [IP::client_addr] equals offload_ips]} {
SSL::enable
pool new_stack_cloud_application
} else {
SSL::disable
pool on_premise_applications_servers
}
}
AltocumulusThanks JRahm, this helps!
- JRahm
untested...make sure to test in a lab! if you have trouble I might be able to mock up tomorrow.
- maadavan
Unfortunately I dont own F5 LTM environment to test it. So would be passing across your solution to them. Would let you know in case of any issues during implementation. Thanks much.
