Forum Discussion
hoolio
Cirrostratus
CirrostratusSSL profile options
Can you set the nonssl option for a client SSL profile in a rule? I'd like to be able to give a few customers a rule to use on port 0 VIPs and not have to force them to enable this option on each client SSL profile if it's not already.
Also, what is SSL::mode used for? I see it in the ASM_clientside rule:
if {([PROFILE::exists clientssl] == 1) && ([SSL::mode] == 1)}
I've also seen a reference to:
PROFILE::clientssl mode
And:
PROFILE::serverssl mode
I checked the wiki but didn't find any info on these commands.
Can someone provide more detail on these options? What does SSL::mode indicate? What other attributes are there for PROFILE::clientssl|serverssl? Can the commands be used to set the values or only retrieve them?
Thanks,
Aaron
hoolioSo it looks like the nonssl option on the client SSL profile is the same as using SSL::disable in a rule. You have to be able to determine when to disable SSL though.
Can anyone shed light on the other questions?
Thanks,
Aaron
Tom_Kivlin_9335Nimbostratus
Aaron,
Did you get an answer for this? I am trying to figure out PROFILE::serverssl myself and am wondering if I can get certain traffic to use a serverssl profile, with everything else not using it.
Cheers,
Tom.- hoolioHi Tom,
You can configure a server SSL profile on the VIP and then use SSL::disable in an iRule to selectively disable the server side encryption. Here's an example:when HTTP_REQUEST { Check if request matches the criteria to disable server-side SSL if { [HTTP::uri] starts_with "/clear"}{ disable SSL on the serverside context SSL::disable serverside select the http pool pool http_pool } else { default is to use server-side SSL and the https pool pool https_pool } }
Aaron - Tom_Kivlin_9335Aaron,
Thanks for that, it's given me a different angle to look at. I need to find something to only use the server-side SSL on POST requests. My thoughts would be:when HTTP_REQUEST { SSL::disable serverside if {[HTTP::method] equals POST} { SSL::enable serverside pool https_pool } }
Does that make sense? - hoolioThat would work as far as the SSL goes, assuming you have the http_pool as the default pool on the virtual server. Here's another option that works based on the idea that you have SSL enabled on the serverside by default with the server SSL profile on the virtual server:
when HTTP_REQUEST { if {not ([HTTP::method] equals "POST")} { SSL::disable serverside pool http_pool } default action is to use server SSL and the default https_pool on the vip }
Aaron - Tom_Kivlin_9335Awesome! Thanks very much - that is just what I'm after.
F5Rookie_28647Aaron, since you seem to be will versed in the SSL configuration maybe you can help me in my situation.
I have a wildcard certificate installed so that:
* https://login.mycompany.com
* https://secure.mycompany.com
All resolve to the same IP address/port. However I need come up with an iRule so that I can assign each SSL subdomain to their own pool. Something like this:when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "login.mycompany.com"} { pool LOGIN } elseif { [string tolower [HTTP::host]] equals "secure.mycompany.com"} { pool SECURE } else { pool WebServer } }
The above rule works fine for my non-SSL traffic but HTTP_REQUEST is blank for SSL requests so I don't know what to do. I was hoping to find a HTTPS_REQUEST but apparently that does not exist. Any help would be GREATLY appreciated!!!- F5Rookie_28647Aaron, thanks for your quick reply.
I was able to figure out what my problem was this morning. I had an iRule setup on my http virtual server but NOT on my https virtual server. Simple mistake on my part. I added the same rule to both and things worked!
Thanks again!