Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 28, 2019

Hi Stan,

Weird that I forgot about this conversation 🙂

One correction to your iRule:

if {[POLICY::targets serverssl] } {
should be 
if {[POLICY::targets server-ssl] } {

BTW - thanks for pointing out how to use POLICY::targets, it is very useful to make iRule more universal!

Did some tests and can't find a problem with server ssl disable in LTP, either in 13.1.1.3 it was corrected or I have not enough sample traffic to trigger error.

Tested LTP like below switching between HTTPS and HTTP to the same server based on URL. It just works. / is sending traffic over HTTPS and /nossl over HTTP, I can repeat switching forever and can't trigger error.

LTP used

ltm policy test-disable-serverssl-per-request {
    controls { forwarding server-ssl }
    description "If URL is /nossl disable serverssl"
    draft-copy Drafts/test-disable-serverssl-per-request
    last-modified 2019-02-28:11:50:07
    requires { http }
    rules {
        change-host_r {
            actions {
                0 {
                    log
                    write
                    facility local0
                    message "tcl:VS: \"[getfield [virtual name] / 3]\"; Host: \"[HTTP::host]\"; URI: \"[HTTP::uri]\""
                    priority info
                }
                1 {
                    http-host
                    replace
                    value "tcl:[class match -value [getfield [HTTP::host] : 1] equals vh-parent-https-https-vs_dg]"
                }
            }
            description "Change Host header for any other URL"
            ordinal 1
        }
        disable-serverssl-via-url_r {
            actions {
                0 {
                    log
                    write
                    facility local0
                    message "tcl:VS: \"[getfield [virtual name] / 3]\"; Host: \"[HTTP::host]\"; URI: \"[HTTP::uri]\""
                    priority info
                }
                1 {
                    http-host
                    replace
                    value "tcl:[class match -value [getfield [HTTP::host] : 1] equals vh-parent-https-https-vs_dg]"
                }
                2 {
                    server-ssl
                    disable
                }
                3 {
                    forward
                    select
                    pool vh-site41-80_pl
                }
            }
            conditions {
                0 {
                    http-uri
                    path-segment
                    index 1
                    values { nossl }
                }
            }
            description "Disables serverssl when /nossl URL is discovered; changes Host header"
        }
    }
    status published
    strategy first-match
}

So I am bit puzzled how to trigger issue you described - any hint?

Piotr