For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dayton_Gray_103's avatar
Dayton_Gray_103
Icon for Nimbostratus rankNimbostratus
Jun 07, 2007

SSL unencrypt/reencrypt after looking at header

Here is my situation.     We are looking to send SSL (port 443) traffic to different pools based upon host header. and either un-encrypt or re-encrypt based upon pool used. I have not found any ...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Jun 07, 2007
You can certainly inspect the host header and act on the value once you've decrypted the request.

The only issue you may encounter is that there can only be a single cert applied to the port 443 virtual server, so HTTPS requests to 1 of the 2 hostnames in question would result in the "cert mismatch" error. Really no way around that one, and the same thing would happen with your proposed workaround (possible in LTM v9.4, which introduced the ability to have a virtual use another virtual as a destination.)

But to use an iRule on a single virtual instead, this should get you on your way:
when HTTP_REQUEST {
  set reencrypt 0
  if { [HTTP::header Host] == "host1.domain.com" }{
    pool LocalPool 
  } else {
    set reencrypt 1
    pool RemotePool
  }
}
when SERVER_CONNECTED {
  if { $reencrypt == 0 }{
    SSL::disable
  }
}
HTH

/deb