Forum Discussion

Gorf_33479's avatar
Gorf_33479
Icon for Nimbostratus rankNimbostratus
Jun 06, 2012

Testing for client SSL and disabling serverside profile as needed

We have some URL's in our main website that are actually redirected to other servers when a user lands on them. It makes our main site look pretty and all self contained so that our SEO and SEM guys get excited. However, it causes me some minor headaches. I currently use a pretty simple iRule to test for those paths, and then redirect the connection to it's respective pool. However, one of those sites is going to generate HTTPS URL's. We offload all our SSL to our BigIP's with a client SSL profile, and normally we use a server side SSL profile to encrypt the connection from the BigIP to the node. However, they custom URL's are such that we don't really care about that encryption from the BigIIP to the node. For simplicity, I would really like to be able to make this an all-in-one iRule that I can apply to both the HTTP VIP and the HTTPS VIP. Here is the iRule so far:

when HTTP_REQUEST {
    set uri [string tolower [HTTP::uri]]

    if { ($uri starts_with "/media" || $uri starts_with "/corporate" || $uri starts_with "/blog") } {        
        set disableServerSSL 0
        set newHost ""
        set newPool ""

        if { ($uri eq "/media" || $uri starts_with "/media/") } {
            set newPool "the_media_pool.80"
            set disableServerSSL 1
        }
        elseif { ($uri eq "/corporate" || $uri starts_with "/corporate/") } {
            set newPool "the_corporate_pool.80"
            set disableServerSSL 1
        }
        elseif { ($uri eq "/blog" || $uri starts_with "/blog/") } {
            set newPool "the_blog_pool.80"
            set disableServerSSL 1
        }
        
         Attempt to disable SSL.  
         TODO: This should test if the connection is SSL to begin with
        if {$disableServerSSL eq 1} {
            SSL::disable serverside
        }

        if {$newPool ne ""}
        {
            pool $newPool 
        }
    }
}

The issue occurs in the "SSL::Disable" if block. If I use this iRule on an HTTP VIP, I get the following error:

01070394:3: SSL::disable in rule (other_sites2) requires an associated SERVERSSL or CLIENTSSL profile on the virtual server (some_virtual_server)

Is there a way to work around that error so I don't have to support two different iRules at the same time? I was hoping there maybe was a way to test if I need to disable SSL in the first place (connections on the HTTP VIP) that might satisfy the iRule processor and kill that error message.

Thanks!

application delivery
dev
devops
iRules
No RepliesBe the first to reply