Forum Discussion

Albert__Tase_70's avatar
Albert__Tase_70
Icon for Nimbostratus rankNimbostratus
Jun 29, 2011

using Irule to manage and control ssl client profiles

Hello

 

 

Is it possible to use an Irule to match based on https url if it matches say https://axc.com assign ssl client profile A then load balnce to a spefic pool ?

 

and in same Irule same vip if it matches https://axb.com assign it ssl client profile B then load balance to a different pool ?

 

 

 

 

Thanks

 

 

 

Al
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Technically speaking you won't be able to do anything with traffic inspection until the traffic is decrypted anyway, meaning that a client profile will have been enforced. You're able to switch profiles at that point, if you want, with SSL::renegotiate, but you can't do that before the decryption happens. And yes, you can certainly direct to different pools based on URL once the traffic is decrypted.

     

     

    Colin
  • Here are two different ways I do it. The first is based in a single VS and iRule doing different redirects to pools. The second is redirecting to another VS. You can use this second method if you wanted do something like apply client certs as in this example. You'll have to strip out what you dont need, I was OTR when I posted this.

     

     

    First:

     

    }

     

    rule rule_www.abc.com_443 {

     

    when HTTP_REQUEST {

     

    if { [string tolower [HTTP::uri]] contains "test" } {

     

    SSL::disable serverside

     

    pool pool_www.abc.com_80

     

    } elseif { [string tolower [HTTP::uri]] eq "/" } {

     

    SSL::disable serverside

     

    HTTP::redirect "https://www.abc.com/home.aspx"

     

    } elseif { [string tolower [HTTP::uri]] starts_with "/def" } {

     

    SSL::enable serverside

     

    pool pool_www.abc.com_doc_443

     

    snat none

     

    virtual vs_www.abc.com_443-SERVERSSL

     

    } elseif { [string tolower [HTTP::uri]] contains "myweb" } {

     

    SSL::enable serverside

     

    pool pool_www.abc.com_myweb_443

     

    snat none

     

    virtual vs_www.abc.com_443-SERVERSSL

     

    } elseif { [string tolower [HTTP::uri]] starts_with "/files/" } {

     

    set uri [findstr [HTTP::uri] "/Files/" 10 ]

     

    HTTP::uri "/abc/$uri"

     

    log local0. "[HTTP::uri] matched /abc$uri"

     

    SSL::disable serverside

     

    pool pool_www.abc.com_files_80

     

    } else {

     

    SSL::disable serverside

     

    pool pool_www.abc.com_80

     

    }

     

    }

     

     

     

     

    Second:

     

    }

     

    rule rule_alpha.bravo.com_443 {

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] starts_with "/abcd" } {

     

    set exact_name "https://[HTTP::host]:444[HTTP::uri]"

     

    HTTP::redirect "https://[HTTP::host]:444[HTTP::uri]"

     

    log local0. "got here $exact_name"

     

    } elseif { ([HTTP::uri] eq "/")

     

    or ([HTTP::uri] starts_with "/test.htm")

     

    or ([HTTP::uri] starts_with "/efg/")

     

    or ([HTTP::uri] starts_with "/hij/")

     

    or ([HTTP::uri] starts_with "/klm/")

     

    or ([HTTP::uri] starts_with "/nop/") } {

     

    allow if matches the above otherwise reject per below

     

    }

     

    else {

     

    reject

     

    }

     

    }

     

    }

     

    rule rule_alpha.bravo.com_444 {

     

    when CLIENTSSL_CLIENTCERT {

     

    HTTP::release

     

    if { [SSL::cert count] < 1 } {

     

    reject

     

    }

     

    }
  • Until all commonly used OS's and browsers support TLS server name indication (SNI), this won't be practical to implement on LTM or any network device.

     

     

    Aaron