For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ryan_rockwell_1's avatar
ryan_rockwell_1
Icon for Nimbostratus rankNimbostratus
Feb 24, 2014

Unencrypt/iRule/Rencrypt

New to iRules so bear with me.

 

I have a site that is using SSL all the way to the servers (no offloading). It is under https://www.abc.com/qualifier. I want to rediect to https://www.xyz.com/qualifier. This is simple enough under HTTP but without SSL offloading I'm kinda stuck.

 

Instead of SSL passthru can I do something like: SSL decrypt with abc certificate iRule uri rewite SSL encrypt with xyz certificate

 

I know this is kinda of simple example but I don't know what else to do other than build out a separate pool but even that will have trouble with the rewrite rule.

 

application delivery
design
devops
iRules
LTM

5 Replies

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Feb 24, 2014

    If you just want to redirect, why do you think you need to re-encrypt with xyz certificate.

     

    You only need to decrypt the traffic destined to abc using that cert and issue a redirect. What happens when the client hits xyz is another story. You did not specify if that traffic comes back to same bigip but, if it did, you don't have to decrypt that

     

    HTH

     

  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Feb 24, 2014

    Do you want to use the same VIP for both www.abc.com / www.xyz.com?

     

    If so you will need to apply a clientssl profile with the cert/key for www.abc.com and www.xyz.com (using the Subject Alternative Names feature of the cert), and use the default serverssl profile (to re-encrypt).

     

    Then it's not really clear if you want to send both FQDN to the same pool......

     

  • ryan_rockwell_1's avatar
    ryan_rockwell_1
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2014

    Unfortunately it's not just a redirect. There is 2 different company's traffic coming to the same URL, they are just split by URI, i.e. www.abc.com/rst and www.abc.com/uwv. rst traffic needs to continue on to the same pool with encryption on the original cert while uwv needs to be redirected to a new URL with a new cert to a new virtual server, i.e. www.xyz.com/uwv.

     

  • Thomas_Gobet's avatar
    Thomas_Gobet
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2014

    Here is the iRule matching what you gave us : 

    when HTTP_REQUEST {
  switch [HTTP::uri] {
    "/rst" { 
      pool your_https_pool
    }
    "/uwv" { 
      HTTP::redirect "https://www.xyz.com/uwv"
    }
  }
}
  • ryan_rockwell_1's avatar
    ryan_rockwell_1
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2014

    The solution I came up with is to unencrypt at the F5 using the original certificate (client SSL profile), apply a iRule that rewrites the uwv URL to https://www.xyz.com/rst and the re-encrypt (server SSL profile) traffic to the original pool with the original certificate. That way traffic that goes to https://www.abc.com/rst flows as normal and traffic that goes to https://www.abc.com/uwv gets rewritten to https://www.xyz.com/uwv and uses the new xyz certificate.