uri forwarding to a pool on an SSL Virtual server

Hi Mali,

how does the rest of your configuration look like, I mean do you have a default pool assigned to your VS? Because when you access the page without URI, the iRule has nothing to match, but you still reaching the webserver correctly.

And why do you need to specify the URI "/abc" differently from all the rest? Can you please provide some more background information or explain in more details what your requirements are?

Thank you!

Ciao Stefan :)

Hi Mali,

I don't think it's related to SSL, because the SSL-handshake happens already before the HTTP_REQUEST event. Otherwise also access to the default pool wouldn't work.

When you are doing SSL offload, this means you only have a clientSSL profile assigned, but no serverSSL, right?

And your default pool, as well as the pool referred in the iRule (starts_with "/abc") have both members defined with port 80 (or at least any other non-default HTTP-based port)?

Did you already check the logs, if there are any errors when executing the iRule?

Can you please share the config from your SSL VS and the two pools (from conf-file or via tmsh-command)?

Ciao Stefan :)

Maybe try this...

when HTTP_REQUEST {

if { not ([HTTP::uri] starts_with "/abc") } {

pool normalpool

} else {

pool abcpool

}

}

Maybe try this...

when HTTP_REQUEST {

if { not ([HTTP::uri] starts_with "/abc") } {

pool normalpool

} else {

pool abcpool

}

}

Hi Mali,

I would try to sniffer next, to see what happend on network level. In case you are not using SNAT just filter on your sourceIP. Otherwise use the -p option to dump on "peer" flows:

tcpdump -ni 0.0:nnnp -s 0 host client-ip -w /var/tmp/traffic_from_client.cap

Note: Above capture takes advantage of new tcpdump flag "-p" that captures peer sides of the connection which
is useful when traffic is snatted on the serverside. It requires a little workaround to reset/clear the filter
internally (running a different capture without the -p flag that won't match original filter)

tcpdump -ni 0.0:nnn -s 0 port 1

Type Ctl -C to stop the capture immediately after it started.

Ciao Stefan 🙂

You mean connection will be correctly established to a server in your abc-pool? And the GET-request will correctly be send to this server? And what is the response of this server? I mean if it's not working I would expect that either connection is not correctly established (network issue) or the GET-request is not handled correctly (application issue).

As you are doing SSL-offload you should be able to verify/read the HTTP-requests towards the server, sure there isn't something wrong?

Ciao Stefan :)

Hi Mali,

you didn't answer my last question. When you open a fresh browser and try to connect directly towards https://domain.com/abc it's not working. But what do you see in the sniffer for this first request?

• do you see successful TCP-handshake with the abc-pool server?
• do you see the GET-request going out towards this server?
• do you see the response for this GET-request coming back from this server?

And what is the result/error in your browser? I guess a connection timeout or something else?

Ciao Stefan :)