Forum Discussion
carter91_13591
Nimbostratus
NimbostratusSSL over port 8080
I have a web server that has two sites running on it. One on port 80, and the other on port 8080.
I have a 3 virtual servers created on the F5. One for port 80, one for port 8080, and another for 443.
On the one for port 80, I have an iRule attached, so when somebody types in http://servername.domain.com it redirects it automatically to https://servername.domain.com
It works quite well.
I need to get SSL working for the one on port 8080, and can't seem to figure it out. I tried using my originally iRule that just does a redirect to https: like I have for the site on port 80, and it didn't work. I created a 2nd iRule and just manually typed in the URL I wanted it to direct it to instead of the host value (https://servername.domain.com:8080)which didn't work either.
I can't seem to get the site running on port 8080 to work with SSL.
Any hints?
Just using the standard iRules for http to https redirects:
when HTTP_REQUEST {
HTTP::redirect https://[HTTP::host]
}
Also tried:
when HTTP_REQUEST {
HTTP::redirect https://servername.domain.com:8080
}
12 Replies
hoolioCirrostratus
Which port(s) do you want clients to connect to the VIP(s) on? Typically, you'd have an HTTP VIP running on port 80 and an HTTPS VIP running on port 443. And then which port(s) do you want LTM to send requests to the pool member(s) on for each VIP? The VIP port and client/server side SSL configuration is independent of the pool member(s) port(s). If you enable port translation on the VIP, LTM will translate the destination port when establishing a connection to the pool members to the port the pool member is defined on. LTM will decrypt SSL on the clientside connection if you add a client SSL profile to the VIP.
Aaron
carter91_13591Yeah, we have set up similar ones in the past, and like you said originally, I had two VIPS, one listening on port 80, and the other on 443.
When a client would have a user type in http://servername.domain.com it would redirect them to https://servername.domain.com
Right now, I have the VIP working on port 8080, with the pool member listening on port 8080. If they type in http://servername.domain.com:8080 it connects, but I want this to be https://servername.domain.com:8080
So are you saying, I should delete that third VIP I have listening on port 8080 and create another one listening on port 443 and use the pool member that has the server listening on port 8080?- hoolioIf you want to have an HTTP VIP that redirects all requests to HTTPS you can create an HTTP VIP with an HTTP class or iRule which redirects to https://[HTTP::host][HTTP::uri]. You can then define an HTTP pool of servers on port 80 and/or 8080. Use this HTTP pool on an HTTPS VIP defined on port 443. Add a client SSL profile to the VIP and you should be set.
You don't need the 8080 VIP at all, unless you want clients to use :8080 in the URL's.
Aaron 
Elias_O_16228I know this thread is old but I have a similar situation but a little bit different. Hoping to pick on your brains.
Developers wanted to access SSL on port 9089 (non SSL port), a self signed cert generated on the server. This works without LTM thus: (https://10.10.10.10:9089).
I want to throw this through the LTM for load balancing purpose.
Then, I Created the pool and the following:
1. clientside SSL profile
2. Serverside SSL Profile
3. http VIP with clientside and serverside profiles enabled and http redirect to https but still not working. I know the redirect works because I use it for other connections and it's working just fine.
What could be causing this not to work.
Help needed.
Thanks- nitass
Employee
can you post the virtual server and pool configuration?
tmsh list ltm virtual (name)
tmsh list ltm pool (name) - Kevin_StewartDo you want to access the HTTPS application through the LTM with this port or with the standard 443? If the former, is there a chance that your http redirect does not include the port number? You would necessarily need to redirect to "https://[HTTP::host]:9089[HTTP::uri]". Otherwise you just need client and server SSL profiles, an HTTP profile, and a pool of servers listening on port 9089. Do you see anything unusual in the LTM logs?
- Elias_O_16228Do you want to access the HTTPS application through the LTM with this port or with the standard 443?
Want to access non SSL port 9089. Absolutely, the https does not have the port.
See output below:
ltm virtual HTTPS-TEST-Virtual-Server {
destination 10.10.10.10:9089
fallback-persistence source_addr
ip-protocol tcp
mask 255.255.255.255
persist {
cookie {
default yes
}
}
pool HTTPS-TEST-Pool
profiles {
Client_Profile {
context clientside
}
server_side_profile {
context serverside
}
http { }
tcp-lan-optimized {
context serverside
}
tcp-wan-optimized {
context clientside
}
}
rules {
redirect_irule
}
}
ltm pool HTTPS-TEST-Pool {
members {
9.9.9.9:9089 {
session monitor-enabled
}
9.9.9.10:9089 {
session monitor-enabled
}
}
monitor min 1 of { https }
}
------------------------
when HTTP_REQUEST {
Check if the client used an SSL cipher
if {not ([catch {SSL::cipher version} result]) && [string tolower $result] ne "none"}{
Client did use a cipher
log local0. "\$result: $result. Allowing encrypted request."
} else {
Client did not use a cipher
log local0. "\$result: $result. Redirecting unencrypted request. [HTTP::host][HTTP::uri]"
HTTP::respond 302 Location "https://[HTTP::host][HTTP::uri]"
}
} - Kevin_StewartI would do two things:
1. Re-enable your logging statements to see what is happening.
2. Modify your redirect to include the port: HTTP::respond 302 Location "https://[HTTP::host]:9089[HTTP::uri]" .
After you've done this, does it work if you go to HTTPS directly? I have to assume that your HTTP-to-HTTPS redirect won't work because you have a client SSL profile applied to the VIP. Having HTTP and HTTPS work on the same VIP with the same port is challenging, but there are ways around this. Lets start with basic functionality first and work from there. I would also remove the iRule for now and just make sure the HTTPS VIP is working. - Elias_O_16228If I remove the irule which is the redirect that contains the port 9089. Maybe you thought I am using "traffic class". No traffic class.
I removed clientssl profile, it complains existence of irule. Removed irule and clientssl profile, no luck.
Just to reiterate: I want to access https://10.10.10.10:9089. This is working without LTM - nitassJust to reiterate: I want to access https://10.10.10.10:9089. This is working without LTMisn't 10.10.10.10 virtual server address? why do you say it works without ltm??
If I remove the irule which is the redirect that contains the port 9089.i think you may not need the irule. have you ever tried not using it?
e.g.ltm virtual HTTPS-TEST-Virtual-Server { destination 10.10.10.10:9089 fallback-persistence source_addr ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } pool HTTPS-TEST-Pool profiles { Client_Profile { context clientside } server_side_profile { context serverside } http { } tcp-lan-optimized { context serverside } tcp-wan-optimized { context clientside } } } ltm pool HTTPS-TEST-Pool { members { 9.9.9.9:9089 { session monitor-enabled } 9.9.9.10:9089 { session monitor-enabled } } monitor min 1 of { https } }
