For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_du_Plessis's avatar
Mark_du_Plessis
Icon for Nimbostratus rankNimbostratus
Sep 08, 2005

SSL Proxy on F5

All,     once again, a question from a newbie. I've been trying to set up a rule that says something along the lines of:     else if (http_uri matches_regex "/memberspage.asmx" and server...
application delivery
dev
devops
iRules
v4
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 09, 2005
If I understand your scenario correctly, I think you could use a proxy, two virtual servers and two rules to accomplish this.

 

 

You could configure a proxy on an external IP address -> loopback virtual server -> rule that routes requests for '/memberspage.asmx' to your HTTP pool. You could then create a separate virtual server on the same external IP address as the proxy on port 80 that points to a rule that discards any requests for '/memberspage.asmx'.

 

 

There may be a trickier method for only using one rule and differentiating whether the original request was made to port 443 or port 80, but I'm not sure what it would be.

 

 

Here is a quick example:

 

 

proxy 1.2.3.4:443 unit 1 {

 

target virtual 127.2.3.4:80

 

clientssl enable

 

clientssl key my.ssl.key

 

clientssl cert my.ssl.crt

 

}

 

 

virtual 127.2.3.4:80 unit 1 {

 

netmask 255.255.255.255

 

use rule rule_allow_http_to_members

 

}

 

 

rule rule_allow_http_to_members {

 

if (http_uri starts_with "/members.asmx") {

 

use pool members_asmx_pool

 

}

 

else {

 

use pool https_pool

 

}

 

}

 

 

 

virtual 1.2.3.4:80 unit 1 {

 

use rule rule_disallow_http_to_members

 

}

 

 

rule rule_allow_http_to_members {

 

if (http_uri starts_with "/members.asmx") {

 

discard

 

}

 

else {

 

use pool https_pool

 

}

 

}

 

 

-Aaron