Forum Discussion

Yaniv_93956's avatar
Yaniv_93956
Icon for Nimbostratus rankNimbostratus
Mar 27, 2013

VIP Decrypt SSL, but iRule sends to HTTPS

 

Hello DevCentral,

 

I’m having a problem with iRule that I’m trying to set.

 

 

I have a VIP that receive HTTPS traffic and decrypts it.

 

The settings for this VIP are:

 

SSL Profile (Client): {My SSL}

 

SSL Profile (Server): None

 

 

The iRule that I try to set, rewrite the traffic to other HTTPS URL (On a single server).

 

As you can imagine, it’s not working as the VIP decrypt the SSL on one hand, but the iRule sends the traffic to another HTTPS on the other hand.

 

 

This is the iRule syntax:

 

 

when HTTP_REQUEST {

 

if { (([string tolower [HTTP::uri]] starts_with "/changepassword") && ([string tolower [HTTP::host]] equals "qa.domain.com")) } {

 

HTTP::header replace Host "qachangepassword.domain.com"

 

node 192.168.12.233

 

 

}

 

}

 

 

Without HTTPS (using HTTP) all working well.

 

If I’m changing the “SSL Profile (server)” on the VIP, all working well too.

 

 

Any ideas?

 

Tnx, Yaniv.

 

application delivery
dev
devops
irules

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 27, 2013
    I'm guessing by your description that you have one server that's listening on 443 (HTTPS) while all of the others are listening on 80 (HTTP). If that's true, then you should consider applying a server SSL profile to the VIP and enabling/disabling serverside SSL processing with the SSL::disable command based on the request. Here are some examples:

     

     

    https://devcentral.f5.com/wiki/iRules.SSL__disable.ashx

     

     

  • Yaniv_93956's avatar
    Yaniv_93956
    Icon for Nimbostratus rankNimbostratus
    Mar 27, 2013
    Hi Kevin,

     

    all the servers in the VIP listen on HTTP as the F5 decrypts the traffic for them.

     

    The single server listen on HTTPS.

     

     

    Could you possibly give me an example for the iRule syntax?

     

    Tnx, Yaniv.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 27, 2013
    Maybe something like this (with a serverssl profile applied to the VIP):

     

     

    when HTTP_REQUEST {

     

    SSL::disable serverside

     

    if { ( [string tolower [HTTP::uri]] starts_with "/changepassword" ) && ( [string tolower [HTTP::host]] equals "qa.domain.com" ) } {

     

    SSL::enable serverside

     

    HTTP::header replace Host "qachangepassword.domain.com"

     

    node 192.168.12.233 443

     

    }

     

    }
  • Yaniv_93956's avatar
    Yaniv_93956
    Icon for Nimbostratus rankNimbostratus
    Mar 27, 2013
    Hi Kvein,

     

    Thank you for your help, but i'm unable to change the VIP settings as there is another system which uses it, and working only if serverssl profile set to "None"

     

    Is there maybe an option to apply serverssl profile in the iRule?

     

     

    Tnx, Yaniv.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 27, 2013
    You can enable or disable an SSL profile, or change an SSL profile if one is already applied, but you can't add one on the fly with an iRule. An alternative may be to use a VIP targeting approach. Instead of sending the changepassword traffic to a node, send it to another virtual server (using the virtual command) that you do have control of.