Forum Discussion

trx's avatar
Nov 02, 2011

use ssl profile in an IRule

Hello Community,

If you have a SSL VS that points to an pool that contains http 80 and https 443, is there a way to direct traffic to the 443 member and use an ssl profile? I do NOT want to set the ssl PROFILE on the VS level because it would cause the http traffic NOT to work; and we need the http traffic to work on the SSL VS with exception of the below if condition.












if { ([string tolower [HTTP::uri]] contains "employee/") or


([string tolower [HTTP::uri]] contains "employee%2f") } {


use SSL profile here


pool x_Pool member 443















Thanks in advance.








4 Replies

  • is this applicable?

    [root@iris:Active] config  b virtual bar list
    virtual bar {
       snat automap
       ip protocol tcp
       rules myrule
       profiles {
          http {}
          serverssl {
          tcp {}
    [root@iris:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
            SSL::disable serverside
            if {[string tolower [HTTP::uri]] starts_with "/secure"} {
                    SSL::enable serverside
                    pool foo member 443
            } else {
                    pool foo member 80
    [root@iris:Active] config  b pool foo list
    pool foo {
       members {
    [root@iris:Active] config  curl -I
    HTTP/1.1 200 OK
    Date: Wed, 02 Nov 2011 07:59:24 GMT
    Server: Apache/2.0.59 (rPath)
    Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
    ETag: "667a-67-cfb682c0"
    Accept-Ranges: bytes
    Content-Length: 103
    Vary: Accept-Encoding
    Set-Cookie: testcookie=helloworld
    Content-Type: text/html; charset=UTF-8
    [root@iris:Active] config  curl -I
    HTTP/1.1 404 Not Found
    Date: Wed, 02 Nov 2011 07:59:29 GMT
    Server: Apache/2.0.59 (rPath)
    Content-Type: text/html; charset=iso-8859-1
  • Hi trx,



    While you can do what you are asking about, you would be far better off putting the servers in different pools (especially for different Protocol's). It would buy you ease of management, scalability, and the ability to perform health checks on the servers and reroute traffic based on the availability of the servers.



    If you hard code Node and Port, if that server is unavailable for any reason your traffic is going to fail utterly.



    Just a thought.