Forum Discussion
Using a Server-side HTTP and HTTPS to Different App Server Pools
I have an HTTPS virtual server that does SSL-termination for 150+ applications where the URL is of the form host.name.com/APP1, host.name.com/APP2, etc. The applications are J2EE and the LTM communicates with them using HTTP. The LTM takes the HTTPS request from the client on port 443 and sends it to the correct App server pool using HTTP on port 8080. The routing decision (which app server pool) is made by an iRule that matches APP(X) in the URL and selects the appropriate pool. This works well. Unfortunately, I have one application with a custom extension that needs a certain request to be forwarded as HTTPS (it does string matching on the request URL to verify the validity of the request - the source string is HTTPS and cannot be changed). I tried putting a server-side SSL profile on the virtual server and configuring the pool to use port 443, but as soon as I put the server-side SSL profile on the VS traffic to my non-SSL pools was disrupted - though traffic to my SSL-enabled pool worked great. How can I get the LTM to use HTTP for the majority of my pools, but HTTPS for the one that needs it? I cannot change the hostname of the application or use a custom port (I cannot change the URL the users see). Thanks.
- nitassEmployee
Don't specify any server SSL profile on your virtual server. Just enable a serverside SSL profile in your iRule.
i understand we cannot enable serverssl profile without assigning serverssl profile to virtual server.
- would really be better to start a new question for a new question. the code from that URL might work if there already is a serverside profile applied to the virtual server and with this you just change it.
- CU-Boulder_HousNimbostratusJust to confirm the code in this post will not work as indicated? Setting a variable in HTTP_REQUEST and then reading it and making the change in SERVER_CONNECTED event...https://devcentral.f5.com/s/feed/0D51T00006i7XLmSAM
- Kevin_StewartEmployeeThat is correct. You have to have a serverssl profile assigned to the VIP before you can disable it.
- nitass_89166Noctilucent
Don't specify any server SSL profile on your virtual server. Just enable a serverside SSL profile in your iRule.
i understand we cannot enable serverssl profile without assigning serverssl profile to virtual server.
- would really be better to start a new question for a new question. the code from that URL might work if there already is a serverside profile applied to the virtual server and with this you just change it.
- CU-Boulder_HousNimbostratusJust to confirm the code in this post will not work as indicated? Setting a variable in HTTP_REQUEST and then reading it and making the change in SERVER_CONNECTED event... https://devcentral.f5.com/s/feed/0D51T00006i7XLmSAM
- Kevin_StewartEmployeeThat is correct. You have to have a serverssl profile assigned to the VIP before you can disable it.
- Kevin_StewartEmployee
It may seem counter intuitive, but you would need to apply a server SSL profile to the VIP and disable serverSSL for all non-HTTPS requests.
when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/app1*" { SSL::disable serverside pool app1_pool } "/app2*" { SSL::disable serverside pool app2_pool } "/secure*" { pool secure_pool } } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com