Forum Discussion
Dayton_Gray_103
Nimbostratus
NimbostratusSSL unencrypt/reencrypt after looking at header
Here is my situation.
We are looking to send SSL (port 443) traffic to different pools based upon host header. and either un-encrypt or re-encrypt based upon pool used. I have not found any solution after digging through the forums.
Basically we are looking to send 443 traffic to a pool pointing to a different data center (re-encrypted via SSLServer profile) if it does not match a certain host header. If the host header is matched, it needs to send it unencrypted to a local pool (local web servers).
Is there anyway to do this via iRule? From what I've read I'm not sure that it is possible so we came up with another hair-brained scheme to have 3 virtual servers. The first will un-encrypt (client SSL) and the pool would point to the second Virtual server. The second virtual server would re-encrypt (server SSL) and have an iRule which would look at the host header. If the host header did not match it would send the traffic to the other datacenter and if it did match send to the third Virtual server. The third virtual server would simply un-encrypt (client SSL) and send to the internal web servers.
Does this sound feasible? I have tested and the BigIP seems to have a problem connecting back to itself (pool pointing to another Virtual Server). I have tried this doing just port 80 traffic and it doesn't seem to work. My guess is that it is having a problem with NAT/SNAT tables. Any suggestions?
- You can certainly inspect the host header and act on the value once you've decrypted the request.
The only issue you may encounter is that there can only be a single cert applied to the port 443 virtual server, so HTTPS requests to 1 of the 2 hostnames in question would result in the "cert mismatch" error. Really no way around that one, and the same thing would happen with your proposed workaround (possible in LTM v9.4, which introduced the ability to have a virtual use another virtual as a destination.)
But to use an iRule on a single virtual instead, this should get you on your way:
HTHwhen HTTP_REQUEST { set reencrypt 0 if { [HTTP::header Host] == "host1.domain.com" }{ pool LocalPool } else { set reencrypt 1 pool RemotePool } } when SERVER_CONNECTED { if { $reencrypt == 0 }{ SSL::disable } }
/deb 
Dayton_Gray_103I get this error with this iRule (BigIP LTM 9.4):
01070151:3: Rule [XXX_Passthrough] error: line 1: [invalid keyword { set reencrypt 0 if { [HTTP::header Host] == xxx.xxxxx.com } pool internalweb } must be: priority timing] [when HTTP_REQUEST { set reencrypt 0 if { [HTTP::header Host] == xxx.xxxxx.com } pool internalweb } else { set reencrypt 1 pool xxx-sec.443 }] line 9: [command is not valid in the current scope] [}]
Is reencrypt not valid within the HTTP_REQUEST section?- Dayton_Gray_103Disregard... it's just a missing {
Thanks for the input! - Dayton_Gray_103I seem to bet getting an error in the webserver when a server SSL profile is in place. If I remove the server SSL profile it works properly. Any idea why I might be seeing this error? It looks like it still may be encrypted.
Access log:
192.168.176.23 - - [08/Jun/2007:10:22:42 -0400] "\x16\x03" 501 290 "-" "-"
Error log:
[Fri Jun 08 10:22:42 2007] [error] [client 192.168.176.23] Invalid method in request \x16\x03
Thanks for any advice. - Dayton_Gray_103Bump. Anyone know why this still looks encrypted on the web server when the host header matches?
- Dayton_Gray_103I added some logging into the iRule. According to the logs it looks like it is getting redirected to the proper pool and that the SSL::Disable is triggering:
Jun 13 12:34:16 tmm tmm[1629]: 01220002:6: Rule FOG_Passthrough_443 : local0."test1"
Jun 13 12:34:16 tmm tmm[1629]: 01220002:6: Rule FOG_Passthrough_443 : local0."nossl"
Any idea why the web server would be getting 501 errors in the logs? Is this because the browser still has https in the url?
when HTTP_REQUEST {
set reencrypt 0
if { [HTTP::header Host] == "xxxxxxxxxxx" }{
{
pool xxxxxxxxxxxx
log local0."test1"
} else {
set reencrypt 1
pool fog-sec.443
log local0."test2"
}
}
when SERVER_CONNECTED {
if { $reencrypt == 0 }{
SSL::disable
log local0."nossl"
}
} - Dayton_Gray_103It looks as if I have run into a bug with the 9.4 Hotfix 4 release. I have tried the above code on a 9.2 BigIP and it is working without issue. I am communicating with F5 now to determine what the problem is.
Thanks for the help! 
Ian_Amos_37833Posted By Byzandula on 06/07/2007 8:36 PM
Disregard... it's just a missing {
Thanks for the input!
Hi, i'm trying to do a similar thing, and am getting the same error message..
Where is the missing { ??
Thanks
hoolioCirrostratus
The missing { should be at the end of the line of the first 'if':when HTTP_REQUEST { set reencrypt 0 if { [HTTP::header Host] == "host1.domain.com" }{ pool LocalPool } else { set reencrypt 1 pool RemotePool } } when SERVER_CONNECTED { if { $reencrypt == 0 }{ SSL::disable } }
Aaron- Ian_Amos_37833Excellent, thank you.
The rule is accepted, but when it is actioned, I get the following error in the logs:TCL error: Rule Test-4 HTTP_REQUEST - cant use non-numeric string as operand of ! while executing if { not [HTTP::uri] starts_with /exchange/ || [HTTP::uri] starts_with /exchweb/ } { pool content log local0.test4-1 } else { set disable 0...
The rule i'm trying to use is:when HTTP_REQUEST { set disable 1 if { not [HTTP::uri] starts_with "/exchange/" || [HTTP::uri] starts_with "/exchweb/" } { pool UAT-content log local0."test4-1" } else { set disable 0 pool OWA-Pool log local0."test4-2" } } when SERVER_CONNECTED { if { $disable == 1 }{ SSL::disable log local0."nossl" } }
Reason for this, is that our MS exchange servers have to use SSL, whereas our Apache can't.. (don't ask me why..)
Any help would be much appreciated!!
