Forum Discussion
URI Rule in Rewrite profile disable Server SSL profile?
- TMOS 12.1.2HF1
- VS listening on port 80
- Server SSL profile attached
Rewrite profile settings:
- Rewrite Mode: URI Translation
- Parent Profile: rewrite
- Request Settings: Rewrite Headers
- Response Settings: Rewrite Headers, Rewrite Content
URI Rule:
- Client:
- Server:
- Pool member set to port 443
Whith above settings SSL is disabled on backend - client HTTP request on port 80 is passed as HTTP request on port 443 on backend side. There is no SSL Handshake performed.
Result: backend server do not respond
If URI Rule is changed to:
- Client:
- Server: https://
Everything starts to work, BIG-IP is starting SSL Handshake and backend is accepting connection.
Is that by design? So protocol definition in URI Rule is defining protocol used on backend - in other words disables Server SSL profile when set to http for Server?
- dragonflymr
Hi Stan,
Weird that I forgot about this conversation 🙂
One correction to your iRule:
should beif {[POLICY::targets serverssl] } {
if {[POLICY::targets server-ssl] } {
BTW - thanks for pointing out how to use POLICY::targets, it is very useful to make iRule more universal!
Did some tests and can't find a problem with server ssl disable in LTP, either in it was corrected or I have not enough sample traffic to trigger error.
Tested LTP like below switching between HTTPS and HTTP to the same server based on URL. It just works. / is sending traffic over HTTPS and /nossl over HTTP, I can repeat switching forever and can't trigger error.
LTP used
ltm policy test-disable-serverssl-per-request { controls { forwarding server-ssl } description "If URL is /nossl disable serverssl" draft-copy Drafts/test-disable-serverssl-per-request last-modified 2019-02-28:11:50:07 requires { http } rules { change-host_r { actions { 0 { log write facility local0 message "tcl:VS: \"[getfield [virtual name] / 3]\"; Host: \"[HTTP::host]\"; URI: \"[HTTP::uri]\"" priority info } 1 { http-host replace value "tcl:[class match -value [getfield [HTTP::host] : 1] equals vh-parent-https-https-vs_dg]" } } description "Change Host header for any other URL" ordinal 1 } disable-serverssl-via-url_r { actions { 0 { log write facility local0 message "tcl:VS: \"[getfield [virtual name] / 3]\"; Host: \"[HTTP::host]\"; URI: \"[HTTP::uri]\"" priority info } 1 { http-host replace value "tcl:[class match -value [getfield [HTTP::host] : 1] equals vh-parent-https-https-vs_dg]" } 2 { server-ssl disable } 3 { forward select pool vh-site41-80_pl } } conditions { 0 { http-uri path-segment index 1 values { nossl } } } description "Disables serverssl when /nossl URL is discovered; changes Host header" } } status published strategy first-match }
So I am bit puzzled how to trigger issue you described - any hint?
- dragonflymr
Thanks for info, good to know. I never used such scenario so that is why I never experienced problem.
I thing that it can be caused by fact that same TCP Connection on client side is used for request to different URIs that can be passed to different backends - some with SSL some without - what do you think?
Wonder if OneConnect or some one to force client to establish new TCP connection when there is backend switch would solve it?
- Stanislas_Piro2
The issue I had is when sharing same fqdn and disable SSL based on URI!
- dragonflymr
Thanks for info. To be 100% sure - is this related to v13 or it should not work as well in v12?
I will redo the tests but I am 99% sure that I tried such sequence (one VS with LTP and Server SSL profile):
- Connect to FQDN directing to SSL backend - works
- Connect to FQDN directing to no SSL backend - works
- Connect to FQDN directing to another SSL backend - works
Never noticed this issue - but I am on 12.1.2 as already mentioned.
- Stanislas_Piro2
we discovered this behavior after upgrade to version 13.0 because of ssl log level change since version 12.0
the issue is a serverssl disable / enable is per client side connection on client side context. if the first server side connection used a SSL connection, it can't disable SSL for the following server side connection.
to summarize, SSL::disable serverside or LTP disable serverssl can't disable server side ssl per request.
I wrote following rule for this behavior (this is not the one I tested, I rewrite it here)
when HTTP_REQUEST { if {[POLICY::targets serverssl] } { set disable_server_ssl 1 } else { set disable_server_ssl 0 } } when SERVER_CONNECTED { if { $disable_server_ssl == 1 } then { SSL::disable serverside } }
- dragonflymr
Hmm, do you mean that disabling Server SSL via LTP is not working? I had LTP where depending on request Host header Server SSL is kept enabled (two FQDNS) and disabled (one FQDN) - never noticed issue with sending unecrypted traffic to backend - but never noticed CLIENT_HELLO as well because most often my Wireshark was set with http filter :-)
I did however notice some strange errors in LTM log related to VS with LTP:
transaction failed:010716e2:3: Policy '/Common/Drafts/something', rule 'some rule'; an action precedes its conditions.
This is in fact related to rule that is not disabling Server SSL.
- Stanislas_Piro2
I confirm that even if Local Traffic Policy is configured to disable serverssl, it first send CLIENT_HELLO, then fallback to cleartext...
- dragonflymr
Will try to go via Support.
I am not sure about your last advice:
troubleshoot yourself how it is working (multiple rewrite rules depending on the URI and capture server side traffic to see if the F5 send the CLIENT_HELLO packet)
I already checked that when http is set in Server URI then BIG-IP is not sending any CLIENT_HELLO packets but still sending to port 443.
Immediately after changing http to https Server SSL profile starts to work - normal SSL Handshake performed and traffic encrypted.
What is strange that seems to be not a case if Local Traffic Policy is used to switch between Pools with selective disabling Server SSL.
Will have to test but I pretty sure that even if there is URI Rule http <-> http but selected pool member is using Server SSL it is not disabled - encryption works.
- Stanislas_Piro2
I guess you discovered a feature not documented.
you can :
- contact your local F5 team to ask for information.
- open a support case to confirm it's the expected behavior
- troubleshoot yourself how it is working (multiple rewrite rules depending on the URI and capture server side traffic to see if the F5 send the CLIENT_HELLO packet)
Of course, don't forget to share here the information.
I guess the last solution will be quicker than others ;-) . we are still waiting for a clientless feature documentation since several years.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on