Forum Discussion
Eric_27859
Nimbostratus
NimbostratusSSL::profile errors
Hello,
I need help with this iRule... In some VS, when /images* is invoked, we need to redirect the traffic to another pool and change from HTTP to HTTPS in the backend.
For this purpose I've created this iRule:
when SERVER_CONNECTED {
set sp [LB::server pool]
log local0. "Server pool: $sp"
if { [IP::addr [LB::server addr] equals 10.75.64.175 ]} {
SSL::profile sslmyappimages
SSL::enable serverside
log local0. " Asignando nuevo perfil para pool de myserver.com/images"
}
else
{
log local0. " No se asigno nuevo perfil para pool de myserver.com/images"
}
}
It doesn't work, and the logs in /var/logs/ltm goes like this:
Apr 6 13:04:00 local/tmm1 err tmm1[5535]: 01220001:3: TCL error: imagesirule - wrong args: should be "SSL::profile " while executing "SSL::profile sslmyappimages"
I don't have a clue why is that happening, I also tried without SSL::enable serverside, and I think I'm following this syntax http://devcentral.f5.com/wiki/defau...nable.html
I've been careful with spaces... simply don't understand...
Thank you!!
- Do you have a serverSSL profile assigned to the virtual? You need to have a default serverSSL profile assigned before you can swap profiles using the SSL::profile command.
Colin 
Eric_27859No, I don't have any default server SSL Profile (only one client SSL profile).
The default pool uses HTTP connection, and only this another server (containing only images, configured on another pool and redirected by a traffic class with "matching only") so we can't use one Server SSL profile in the Virtual Server.
Should I create a dumb Server SSL profile with Certificate: None, and Key:none for the virtual server ???? The other workarround is to enable by default the "sslmyappimages" profile and disable ssl in all the request except those going to tihs server... should it work? which is better?
Thank you for the tip!
hooleylistCirrostratus
You can enable any server SSL profile and then use SSL::profile to switch to another one. With that, server SSL will be enabled by default. You can then selectively disable encryption using SSL::disable serverside.
Aaron- What Aaron said. ;)
You must have SOME profile enabled or it won't allow you to swap profiles. Create a new dummy profile if you need to and then disable SSL for all traffic that doesn't require that profile. Then switch to this profile for traffic that does require it.
Or heck, for that matter, if you don't really want to swap between multiple serverSSL profiles, you just want to enable for this traffic and disable for the rest, use this profile as the default and SSL::disable on the server side for any content that doesn't require it.
Colin - Eric_27859The second one leads to a cleaner iRule like the following:
when HTTP_REQUEST {
if { not ( [[HTTP::uri] starts_with "/images"] ) } {
SSL::disable serverside
}
}
I like that, i need to keep searching why it doesnt work yet, well this iRule works, but the backend connection is not working properly... i think maybe there are some issues with the ssl handshake or something like that. Do you have some debugging/diagnostic tips that doesnt involve only tcpdump?
Thank you!! - The only thing I can suggest is the obvious "check the error logs" comment. Both on the server and the LTM, checking for errors is the first thing I'd do. Past that...it's dump time..ooohh fun. ;)
Colin - Eric_27859Yep... tail -f /var/log/ltm = your best friend...
the last error logs are:
Apr 6 17:19:43 local/tmm err tmm[5534]: 01220001:3: TCL error: imagesirule - invalid command name "/images/products/burger-k.gif" while executing "[HTTP::uri] starts_with "/images""
what th.... - You have an extra set of square brackets. Try:
when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/images" ) } { SSL::disable serverside } }
Colin - Basically, it's trying to run "[HTTP::uri] starts_with "/images"" as a command. Which...it's not. ;)
Colin - Eric_27859Thank you for helping me!
