Can I set a serverssl profile in an iRule?

Question

I am looking around on the F5 DevCentral to see if I can add a server side SSL profile in an iRule.  I have a vendor that has apparently hard coded or is checking SSL in their web software, so they are wanting us to send 443 to the server from F5.  But because our shared configuration is coming in through one IP address, we have a large number of apps using SSL, but only port 80 is needed on the back end.  So now we want to add one server needing SSL to the back-end.&nbsp;
I know we cannot add a serverssl profile in the Virtual Server because that will affect all pools.  So, I am wondering if we can add a profile serverssl to our iRule that strips off traffic to that special server?&nbsp;
Looking through my iRule programming book, I see I can add Stream or Stat profiles.&nbsp;

nitass · Answer

you can add serverssl using irule but you can selectively enable/disable it.&nbsp;
SSL::enable&nbsp;
https://devcentral.f5.com/wiki/iRules.SSL__enable.ashx&nbsp;
SSL::disable&nbsp;
https://devcentral.f5.com/wiki/iRules.ssl__disable.ashx&nbsp;

david_h · Answer

Perfect!  Thanks for the quick response.&nbsp;

robertcolbert · Answer

An SSL profile has to be assigned to the VIP before you can use any of the SSL iRule commands. If a profile is assigned at the VIP (even a generic one) you can then enable, disable, switch profiles and trigger renegotiation from within an iRule.&nbsp;
If you can't add a profile to the VIP as you mentioned in your post, then no. You can not add a profile from the iRule.&nbsp;
From the description, it sounds like you are already offloading SSL at the LTM but this one app wants you to use SSL on the back-end connection also. In that case, you may be able to add an empty clientssl profile on the VIP so it will accept connecting to the back-end application.&nbsp;
Another question you should ask your vendor is if they support flagging a connection as "isSecure" by having the LTM inject a header in the request stream. This is most frequently done when the back-end app needs to be aware that the request was already secured when it creates responses. (Two prime examples of this are MS Exchange Web Access and SharePoint 2013). If that is the case, then all you really need to do is add a rule to insert a custom header in the request stream and you can offload the SSL as is.&nbsp;

jimmy-old · Answer

My case is similar to David's, wherein, the Virtual Server has a ClientSSL Profile associated and a couple of HTTP pools, and now, I need to add an HTTPS pool to the Virtual Server.

So, can I add a ServerSSL-specific iRule without associating a ServerSSL Profile to the Virtual Server?

Forum Discussion

Can I set a serverssl profile in an iRule?

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Debugging ServerSSL Profile Setup

irule VS http profille

SSL Profile Cipher

Dynamically remove serverssl profile

Oneconnect profile