For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THi's avatar
THi
Icon for Nimbostratus rankNimbostratus
Mar 18, 2015

If you are not doing ssl offload, you cannot use L7 iRules for the ssl traffic - like the one above.

 

Are you intending to use the same virtual server for both unencrypted and encrypted traffic? That would make the virtual server iRule a bit complicated as you have to detect ssl handshake to distinguish between those two traffic types. Anyway, if you want to do anything on Layer 7 (like the XFF insertion) for the ssl traffic, you must terminate SSL on the BIG-IP, so open up the encryption. You can then re-encrypt towards the backend servers.

 

Is it possible to use two virtual servers, same IP, different ports, one for unencrypted and the other for encrypted traffic? Keep in mind that the virtual server is a combination of IP and port, typically port 80 for plain text http and 443 for ssl. You can tie the same iRule to both.

 

Or are you intending to use BIG_IP as a proxy server (as you are looking for the CONNECT method)? So converting the traffic to tunnel the ssl through?