Forum Discussion
Albert__Tase_70
Nimbostratus
Nimbostratususing Irule to manage and control ssl client profiles
Hello
Is it possible to use an Irule to match based on https url if it matches say https://axc.com assign ssl client profile A then load balnce to a spefic pool ?
and in same Irule same vip if it matches https://axb.com assign it ssl client profile B then load balance to a different pool ?
Thanks
Al
4 Replies
- Technically speaking you won't be able to do anything with traffic inspection until the traffic is decrypted anyway, meaning that a client profile will have been enforced. You're able to switch profiles at that point, if you want, with SSL::renegotiate, but you can't do that before the decryption happens. And yes, you can certainly direct to different pools based on URL once the traffic is decrypted.
Colin 
Valentine_96813Here are two different ways I do it. The first is based in a single VS and iRule doing different redirects to pools. The second is redirecting to another VS. You can use this second method if you wanted do something like apply client certs as in this example. You'll have to strip out what you dont need, I was OTR when I posted this.
First:
}
rule rule_www.abc.com_443 {
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "test" } {
SSL::disable serverside
pool pool_www.abc.com_80
} elseif { [string tolower [HTTP::uri]] eq "/" } {
SSL::disable serverside
HTTP::redirect "https://www.abc.com/home.aspx"
} elseif { [string tolower [HTTP::uri]] starts_with "/def" } {
SSL::enable serverside
pool pool_www.abc.com_doc_443
snat none
virtual vs_www.abc.com_443-SERVERSSL
} elseif { [string tolower [HTTP::uri]] contains "myweb" } {
SSL::enable serverside
pool pool_www.abc.com_myweb_443
snat none
virtual vs_www.abc.com_443-SERVERSSL
} elseif { [string tolower [HTTP::uri]] starts_with "/files/" } {
set uri [findstr [HTTP::uri] "/Files/" 10 ]
HTTP::uri "/abc/$uri"
log local0. "[HTTP::uri] matched /abc$uri"
SSL::disable serverside
pool pool_www.abc.com_files_80
} else {
SSL::disable serverside
pool pool_www.abc.com_80
}
}
Second:
}
rule rule_alpha.bravo.com_443 {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/abcd" } {
set exact_name "https://[HTTP::host]:444[HTTP::uri]"
HTTP::redirect "https://[HTTP::host]:444[HTTP::uri]"
log local0. "got here $exact_name"
} elseif { ([HTTP::uri] eq "/")
or ([HTTP::uri] starts_with "/test.htm")
or ([HTTP::uri] starts_with "/efg/")
or ([HTTP::uri] starts_with "/hij/")
or ([HTTP::uri] starts_with "/klm/")
or ([HTTP::uri] starts_with "/nop/") } {
allow if matches the above otherwise reject per below
}
else {
reject
}
}
}
rule rule_alpha.bravo.com_444 {
when CLIENTSSL_CLIENTCERT {
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
hoolioCirrostratus
Until all commonly used OS's and browsers support TLS server name indication (SNI), this won't be practical to implement on LTM or any network device.
Aaron- hoolio...
