Forum Discussion
Mark_du_Plessis
Nimbostratus
NimbostratusSSL Proxy on F5
All,
once again, a question from a newbie. I've been trying to set up a rule that says something along the lines of:
else if (http_uri matches_regex "/memberspage.asmx" and server_port == 80) {
discard
}
else {
use pool http_servers
}
I do have statements prior to the above ones, and they all work, but the bit I'm trying to get to work should logically say:
Only allow port 443 traffic to Memberspage. If http traffic is coming to memberspage, discard it.
The problem I have is that the rule blocks all traffic. The Big-IP is doing it's own SSL proxying on that virtual server, so as I understand it, the Big-IP decrypts before passing the request on to the iRule. So how can I differentiate between http and https traffic?
Thanks,
Mark
1 Reply
hoolioCirrostratus
If I understand your scenario correctly, I think you could use a proxy, two virtual servers and two rules to accomplish this.
You could configure a proxy on an external IP address -> loopback virtual server -> rule that routes requests for '/memberspage.asmx' to your HTTP pool. You could then create a separate virtual server on the same external IP address as the proxy on port 80 that points to a rule that discards any requests for '/memberspage.asmx'.
There may be a trickier method for only using one rule and differentiating whether the original request was made to port 443 or port 80, but I'm not sure what it would be.
Here is a quick example:
proxy 1.2.3.4:443 unit 1 {
target virtual 127.2.3.4:80
clientssl enable
clientssl key my.ssl.key
clientssl cert my.ssl.crt
}
virtual 127.2.3.4:80 unit 1 {
netmask 255.255.255.255
use rule rule_allow_http_to_members
}
rule rule_allow_http_to_members {
if (http_uri starts_with "/members.asmx") {
use pool members_asmx_pool
}
else {
use pool https_pool
}
}
virtual 1.2.3.4:80 unit 1 {
use rule rule_disallow_http_to_members
}
rule rule_allow_http_to_members {
if (http_uri starts_with "/members.asmx") {
discard
}
else {
use pool https_pool
}
}
-Aaron
