Forum Discussion

lior's avatar
lior
Icon for Nimbostratus rankNimbostratus
Nov 10, 2022

client not support ssl to ssl supported server

Hi all,

 

I have a condition that I have an application that needs to send api requests.
and if it comes from a certen source ip I need to forward it to another pool.
I cant do a redirect(302)..cause its api, I have to just send the traffic forward and it needs to be encrypted with ssl

I try to make it with Irule, I think I got that part that I rewrite the traffic but I cant make the use of ssl on the server side only

 

Irule - 

when HTTP_REQUEST {
if {[IP::addr [IP::client_addr] equals "10.10.10.10"]} {
HTTP::header replace Host "xyz"
pool another_pool-443
HTTP::uri "abcwq/"
}
}

application delivery

4 Replies

Sort By
  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Nov 10, 2022

    You should be able to achieve this with a serverSSL profile on your virtual server. 

    If only this very specific traffic needs encryption, you could add an "else" statement with SSL::disable serverside command in addition to serverSSL profile.. something like this

     

    when HTTP_REQUEST {
 set nossl 1
 if {[IP::addr [IP::client_addr] equals "10.10.10.10"]} {
  HTTP::header replace Host "xyz"
  pool another_pool-443
  HTTP::uri "abcwq/"
  set nossl 0
 }
}
when SERVER_CONNECTED {
  if {$nossl}{ SSL::disable } 
}

     

    • lior's avatar
      lior
      Icon for Nimbostratus rankNimbostratus
      Nov 10, 2022

      I have configure the server ssl profile "serverssl" on the same vip that is configured with the I rule and it didnt work..

      with wireshark I still see no ssl

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Nov 15, 2022

    firstly, configure the virtual server add a server ssl profile, the server ssl profile needs a cert and key

    give your LTM configuration or screenshot(does LTM can ping pool members ip address?if LTM can ping, VS enable Automap,exclude network route problems ), list ltm virtual XXX. It is normal for us to test with bigip VE. At the same time, tcpdump is performed on the back-end server and in the LTM serverside direction to check out LTM whether send ClientHello packet in the serverside(when your back-end server performs https handshake whether want to force the ClientHello message to carry SNI fields?). Another point is that the URI in the normal format starts with "/",