Forum Discussion

Matthias_62542's avatar
Matthias_62542
Icon for Nimbostratus rankNimbostratus
Mar 08, 2010

Talk HTTPS to a server in a pool

Hello,

I've set up a virtual server with a client SSL profile so I can reach the virtual server with F5. The F5 and the servers in the pool use cleartext HTTP for communication.

One server in the pool is a HTTPS server. I want to split up the HTTPS connection on the F5 so I would talk to the client HTTPS with one certificate and to the server in the pool with another one. 

 
         SSL      SSL  
 Client  ->   F5  ->  Server

I've tried to add a server SSL profile to the virtual server configuration but then I get "The connection was reset" in my webbrowser if I'm trying to open the HTTPS port.

Is there any iRule I can use for that setup or is there something wrong with my configuration? Is it even possible to talk HTTPS to a server in the pool?
application delivery
dev
devops
iRules
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2010
    Just so I understand correctly: you've got a pool of systems, but only one is SSL-enabled? Serverside SSL is trivial to set up, and you can indeed use a different certificate for this so there are no issues. I'm trying to understand the setup though - it seems a little odd to have one server in the pool setup differently than the others.

     

     

    -Matt
  • Matthias_62542's avatar
    Matthias_62542
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2010
    Hi Matt,

     

     

    thats right. One server in the pool speaks HTTPS (beside HTTP).

     

     

    I can talk HTTP to this server without any problem, but some IT security regulations want me to use HTTPS for the complete stream. So I need to talk HTTPS to this particular server in the pool.

     

     

    Regards

     

    Matthias
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2010
    Ok. You should be able to do this. Here's the high level, untested logic. Obviously, 10.0.0.25 is a made-up member IP. Here we'll assume it's your SSL member. I hope this gets you close (I have no time to test it this week). 

     
 when LB_SELECTED { 
    Once a pool member has been selected check to see if it's the SSL pool member. If it is, enable server-side SSL. 
   if { [IP::addr [LB::server addr] equals 10.0.0.25] } { 
         SSL::enable serverside 
   } 
 }

    -Matt
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2010
    You know, this may actually be cleaner - enable server side SSL on your virtual, but disable it for every pool member but this one: 

     
  when LB_SELECTED {  
     Once a pool member has been selected check to see if it's the SSL pool member. If it is, enable server-side SSL.  
    if { not [IP::addr [LB::server addr] equals 10.0.0.25] } {  
          SSL::disable serverside  
    }  
  }

    I hope this makes sense.

    -Matt
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 08, 2010
    Following Matt's example, if the servers are defined on different ports in the pool, you could use !([LB::server port] == 443) to disable SSL (or whatever port the SSL server(s) are enabled on). This way the pool membership can change without having to modify the hardcoded IP address.

     

     

    Aaron
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2010
    Much better, thanks Aaron. Your way allows for multiple SSL systems in the pool as well as membership changes.

     

    -Matt