Forum Discussion

maadavan's avatar
maadavan
Icon for Altocumulus rankAltocumulus
Jun 05, 2023

SSL Offloading for specific IPs or range of IPs

Current flow is as below Client -> F5 LTM (SSL Proxying) -> On premise Application Servers (TLS Offloading). Certificates that do TLS offloading has F5 LTM DNS as CN/SAN. For a migration of my on ...
application delivery
iRules
offloading
ssl
  • JRahm's avatar
    JRahm
    Jun 05, 2023

    Something like this maybe (where offload_ips is a data-group with ip host and ip/mask as specified)

    when CLIENT_ACCEPTED priority 500 {
    if {[class match -- [IP::client_addr] equals offload_ips]} {
        SSL::enable
        pool new_stack_cloud_application
    } else {
        SSL::disable
        pool on_premise_applications_servers
    }
}

     

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Jun 06, 2023

    JRahm, I beg to differ and offer a different solution. Not every problem requires an iRule to be solved. 🙂
    I'd rather create two virtual servers, one with pool_A and SSL Bridging configured and another one with pool_B and SSL Passthroughand make use of K14800: Order of precedence for virtual server matching.  

    OrderDestinationSourcePort
    1(host address)(network address)(port)
    2(host address)*(port)

    For the source you can use an Address List as described in this Manual article: Configuring Multiple IP Addresses and Service Ports for a Virtual Server. This would replace the datagroup for matching the source IP address(es).

    KR
    Daniel 

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

JRahm, I beg to differ and offer a different solution. Not every problem requires an iRule to be solved. 🙂
I'd rather create two virtual servers, one with pool_A and SSL Bridging configured and another one with pool_B and SSL Passthroughand make use of K14800: Order of precedence for virtual server matching.  

OrderDestinationSourcePort
1(host address)(network address)(port)
2(host address)*(port)

For the source you can use an Address List as described in this Manual article: Configuring Multiple IP Addresses and Service Ports for a Virtual Server. This would replace the datagroup for matching the source IP address(es).

KR
Daniel 

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jun 06, 2023

Daniel_Wolf HOW DARE YOU BEG TO DIFFER!! 😎

But seriously, 💯 on only using iRules where necessary. maadavan, this solution is definitely the way to go!

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jun 06, 2023

    I'm always looking for trouble... 😁😁😁

  • maadavan's avatar
    maadavan
    Icon for Altocumulus rankAltocumulus
    Jun 06, 2023

    Thanks for clarifying & providing quick solutions JRahm , Daniel_Wolf