For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Landono's avatar
Landono
Icon for Nimbostratus rankNimbostratus
Sep 04, 2014

SSL Serverside Not Being Disabled Correctly

Currently we have an iRule that selects the pool based on the URL path. Some pools accept SSL while others do not. In the IF statement (which is in the HTTP_REQUEST event block), if the traffic is fo...
application delivery
deployment
devops
iRules
LTM
ssl
nitass's avatar
nitass
Icon for Employee rankEmployee
Sep 05, 2014

My main question is why my if statement on the pool is not working correctly.

can you try to add partition name (i.e. /common)?

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 7
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool pool_foo_https
ltm pool pool_foo_https {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool pool_bar_http
ltm pool pool_bar_http {
    members {
        200.200.200.111:80 {
            address 200.200.200.111
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  SSL::disable serverside
  set default_pool [LB::server pool]
}

when HTTP_REQUEST {
  set host [HTTP::host]
  set uri [HTTP::uri]
  HTTP::header insert "X-Forwarded-Proto" "https"

  if { [HTTP::uri] starts_with "/foo" } {
    pool pool_foo_https
  }
  elseif { [HTTP::path] starts_with "/bar" } {
    pool pool_bar_http
  }
  else {
    pool $default_pool
  }
}

when SERVER_CONNECTED {
  if { [LB::server pool] matches "/Common/pool_foo_https" } {
    SSL::enable serverside
  }
  else {
    SSL::disable serverside
  }
}
when HTTP_RESPONSE {
  log local0. "client=[IP::client_addr]:[TCP::client_port] host=$host uri=$uri server=[LB::server]"
}
}

 /var/log/ltm

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Sep  4 17:50:40 ve11a info tmm[15094]: Rule /Common/qux HTTP_RESPONSE: client=172.28.24.1:38994 host=172.28.24.10 uri=/ server=/Common/foo 200.200.200.101 80
Sep  4 17:50:52 ve11a info tmm1[15094]: Rule /Common/qux HTTP_RESPONSE: client=172.28.24.1:38995 host=172.28.24.10 uri=/foo server=/Common/pool_foo_https 200.200.200.101 443
Sep  4 17:50:58 ve11a info tmm[15094]: Rule /Common/qux HTTP_RESPONSE: client=172.28.24.1:38996 host=172.28.24.10 uri=/bar server=/Common/pool_bar_http 200.200.200.111 80