Forum Discussion
kona2-9_51980
Nimbostratus
NimbostratusTrying to create an iRule to serve multiple http and https pools based off of a single VIP
I have four pools :
testa.org
testa-ssl
testb.org
testb.org-ssl
I can see that when i send plain http traffic to either my log line is hit. but when i select https i get no hits. Any suggested articles or changes appreciated. when
when HTTP_REQUEST {
log local0. "in HTTP_REQUEST"
if
{[ HTTP::uri] contains "testa.org" and [TCP::server_port] == 80}
{pool testa.org}
elseif
{[HTTP::uri] contains "testb.org" and [TCP::server_port] == 80}
{pool testb.org}
elseif
{[HTTP::uri] contains "testa.org" and [TCP::server_port] == 443}
{pool testa.org-ssl}
elseif
{[HTTP::uri] contains "testb.org" and [TCP::server_port] == 443}
{pool testb.org-ssl}
}
Brian_69413Most likely a certificate or rather a Client SSL profile issue. I would just create two VIP's with the same IP on port 80 and 443, then split the irule between them...
Michael_YatesHi kona2-9,
The "testa.org" and testb.org" should be in the [HTTP::host] value, not the [HTTP::uri].
Example: http://www.website.com/foo/bar/index.html
HTTP:host value: www.webiste.com
HTTP::uri value: /foo/bar/index.html
Try updating your iRule and see if it starts to work properly.
Hope this helps.- When SSL traffic comes into the Virtual the HTTP_REQUEST will never be hit unless you have a clientssl profile enabled on the VIP. If you do not then the VIP is resetting all the SSL traffic as it is not HTTP traffic. To get around this you need to have a virtual that has a SSL profile. With version 11 you can have multiple ClientSSL profiles attached to the VIP with SNI. With this the client sends in the client Hello what cert it is expecting to see, the LTM will read that and return the correct SSL cert unless it profile is not attach to the VIP then it will return the default profile. Hope that help fix the SSL issue.
- Joel_MosesYes, it's your use of HTTP_REQUEST here that's the issue. That's not available in an SSL session that the LTM isn't offloading. The thing you want to do in SSL is called "Server Name Indication" and v11 includes tools to support this (although please note that if you expect any Windows XP users, they won't be able to use SNI).
At a bare minimum, you probably need to split these sites into multiple VIPs if you can spare the IP addresses and can control the DNS hostnames. - kona2-9_51980Sorry for the long reply but what i have done is split the VIP and based on port. VIP::80 works after following mr. Yates suggestions. I am now having problems getting my SSL portion to work. I have VIP::443 setup and ssl profile (client) set to clientssl, I am running version BIG-IP 9.2.3 Build 34.3. I can browse directly to https://www.testa.org and page is displayed. but when i point my host file to use the VIP for www.testa.org i get a reset.
I am have found this link and wonder if anyone thinks this may work for what i am trying to do?
https://devcentral.f5.com/wiki/iRules.HttpHttpsSingleVirtualServer.ashx - If you are seeing a reset and are useing a iRule check /var/log/ltm. When a iRule has a error the LTM will reset the connection, the logs will tell you what happen.
- Eric_St__John
Employee
If you are communicating to your pool members via SSL, you must have a serverssl profile assigned also. So, you should have both clientssl and serverssl profiles assigned. - Michael_YatesHi kona2-9,
I agree with Joel’s suggestion of splitting your HTTP and HTTPS Traffic onto separate Virtual Servers (on for 80 and one for 443).
On your HTTP Virtual Server you do not need any SSL Profiles. On your HTTPS Virtual Server you will need an SSL Profile (Client) at a minimum. If you have an SSL Certificate installed on the Web Server then you will also need to enable the SSL Profile (Server) as well to re-encrypt the traffic between the LTM and the Web Server.
If you follow the suggestion of using two Virtual Servers and you want to maintain the logic in a single iRule that could be applied to both the HTTP and HTTPS Virtual Server you could do something like this, or separate the logic into two simpler iRules (one for HTTP and one for HTTPS).when HTTP_REQUEST { switch [TCP::server_port] { "80" { switch -glob [string tolower [HTTP::host]] { "*testa.org" { pool testa.org } "*testb.org" { pool testb.org } } } "443" { switch -glob [string tolower [HTTP::host]] { "*testa.org" { pool testa.org-ssl } "*testb.org" { pool testb.org-ssl } } } } }
Hope this helps. - kona2-9_51980I have decided to split the iRule in to two parts and config is below. HTTP traffic is working with no problems. HTTPS on the other hand, fails with a 400 error if only clientssl profile is selected. If bot ssl proviles serverssl and clientssl are selected i get a reset. Does anyone know if there is a way for me to use the servername portion of the client hello packet? I am not sure if the http::host might not be getting hit. Also, on a side note if I https directly to the server i do get the correct page.
test-port80
10.102.27.237:80
http profile: http
irule : test-vip-80
when HTTP_REQUEST {
switch [TCP::server_port] {
"80" {
switch -glob [string tolower [HTTP::host]] {
"*testa.org" { pool testa.org }
"*testb.org" { pool testb.org }
}
}
}
}
============================================================
test-port443
10.102.27.237:443
http profile: http
clientssl
irule : test-vip-443
when HTTP_REQUEST {
switch [TCP::server_port] {
"443" {
switch -glob [string tolower [HTTP::host]] {
"*testa.org" { pool testa.org-ssl }
"*testb.org" { pool testb.org-ssl }
}
}
}
}
