For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

trx's avatar
trx
Nov 02, 2011

use ssl profile in an IRule

Hello Community,

If you have a SSL VS that points to an pool that contains http 80 and https 443, is there a way to direct traffic to the 443 member and use an ssl profile? I do NOT want to set the ssl PROFILE on the VS level because it would cause the http traffic NOT to work; and we need the http traffic to work on the SSL VS with exception of the below if condition.

 

 

 

ex)

 

 

 

HTTP_REQUEST {

 

....

 

if { ([string tolower [HTTP::uri]] contains "employee/") or

 

([string tolower [HTTP::uri]] contains "employee%2f") } {

 

use SSL profile here

 

pool x_Pool member 192.168.11.58 443

 

return

 

}

 

 

 

 

....

 

}

 

 

 

Thanks in advance.

 

 

 

Regards,

 

TRX

 

application delivery
dev
devops
iRules

4 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 02, 2011
    is this applicable? 

    [root@iris:Active] config  b virtual bar list
virtual bar {
   snat automap
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      serverssl {
         serverside
      }
      tcp {}
   }
}
[root@iris:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        SSL::disable serverside
        if {[string tolower [HTTP::uri]] starts_with "/secure"} {
                SSL::enable serverside
                pool foo member 10.10.70.120 443
        } else {
                pool foo member 10.10.70.110 80
        }
}
}
[root@iris:Active] config  b pool foo list
pool foo {
   members {
      10.10.70.110:http {}
      10.10.70.120:https {}
   }
}

[root@iris:Active] config  curl -I http://172.28.17.33/
HTTP/1.1 200 OK
Date: Wed, 02 Nov 2011 07:59:24 GMT
Server: Apache/2.0.59 (rPath)
Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
ETag: "667a-67-cfb682c0"
Accept-Ranges: bytes
Content-Length: 103
Vary: Accept-Encoding
Set-Cookie: testcookie=helloworld
Content-Type: text/html; charset=UTF-8

[root@iris:Active] config  curl -I http://172.28.17.33/secure
HTTP/1.1 404 Not Found
Date: Wed, 02 Nov 2011 07:59:29 GMT
Server: Apache/2.0.59 (rPath)
Content-Type: text/html; charset=iso-8859-1
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2011
    Hi trx,

     

     

    While you can do what you are asking about, you would be far better off putting the servers in different pools (especially for different Protocol's). It would buy you ease of management, scalability, and the ability to perform health checks on the servers and reroute traffic based on the availability of the servers.

     

     

    If you hard code Node and Port, if that server is unavailable for any reason your traffic is going to fail utterly.

     

     

    Just a thought.