Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Simon_Beaudoin's avatar
Simon_Beaudoin
Icon for Nimbostratus rankNimbostratus
Oct 27, 2020

Trying to achieve a specific configuration with an Irule and SSL Proxy.

Here is what we are trying to acheive to replace a Microsoft IIS Server. Many of our client servers are note supporting TLS 1.2, So we have this webserver that acts as a proxy for them. The IIS Ser...
application delivery
big-ip
devops
irules
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Nov 01, 2020

> We cannot use nodes because all those site are external.

 

You can define nodes that are external to the networks on the LTM.

 

> Our dev team would like to replace this IIS server without having to use nodes,datagroup or so. Only with the /URL=??? method already hardcoded on hundreds of servers.

 

It's certainly achievable, but not trivial.

 

I'd suggest approaching F5 Professional Services to get this written.

 

Otherwise, here is a high-level irule structure

 

you need server-ssl profiles for all the target severs, with relevant settings and client-auth certificates

They need to be named in a structured way so they can be correctly selected with the host name

 

get the request URI (HTTP:uri)

split it on "URL=", and keep the second result

Prepend "https://" so you have a target URI for the server-side response

Use URI::host to get the host name

use DNS::resolve to get an IP address from the host name

set the node using the IP address

change the Host header in the request

select the correct server-ssl profile based on the hostname

allow the request to be made

once you have a response, translate any embedded URLs as required