HTTPS passthrough fallback URL

Problem this snippet solves:

This iRule allows an administrator to pass HTTPS traffic through the BIG-IP without decrypting it. If there are no nodes available in the pool, the rule will use a client SSL profile and HTTP profile to decrypt the HTTPS and issue a redirect to a maintenance page.

The iRule depends on having the SSL certificate and key imported to the BIG-IP, configured in a client SSL profile and attached to the virtual server. An HTTP profile must also be associated with the virtual server. The virtual server and pool would typically be configured for HTTPS on port 443.

How to use this snippet:

Note that this rule won't redirect the client if the pool is up when the connection is established and then it goes down. Also, once done testing, comment out or remove the log statements.

Code :

when CLIENT_ACCEPTED {

   log local0. "[IP::client_addr]:[TCP::client_port]: Received connection with active members: [active_members [LB::server pool]]"

   # Check if there are members available in the VIP's default pool
   if {[active_members [LB::server pool]]}{

      # Disable the client SSL profile so the HTTPS traffic is passed through encrypted to the node
      SSL::disable

      # Disable the HTTP profile as we're not going to redirect this request
      HTTP::disable

      log local0. "[IP::client_addr]:[TCP::client_port]: Members available"
   }
}
when HTTP_REQUEST {

   # The HTTP_REQUEST event is only triggered if the pool members are down and the client SSL and HTTP profiles are left enabled

   # Redirect the client
   HTTP::redirect "https://maintenance.example.com"

   # Close the TCP connection so that the pool is checked for every HTTP request
   #   This should prevent clients from being continuing to be redirected after the pool comes up
   #   (which would happen if they re-used the same TCP connection).
   TCP::close

   log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting request"
}
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment