cancel
Showing results for 
Search instead for 
Did you mean: 

Content switching with SSL offloading on a single virtual server address

jake_macabuag_4
Nimbostratus
Nimbostratus

Hi guys

 

we are planning to implement content-switching and just using one virtual server ip address. This single ip will represent multiple urls with SSL. This is in order for our client to save ip address. Can a single VS handle multiple SSL Certificates and use iRule to determine which one to use? Basically here is the traffic flow

 

 

 

Sample

 

1. Client -> www.test1.com/xxx -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test1

 

 

2. Client -> www.test1.com/yyy -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test2

 

 

3. Client -> www.test2.com/xxx -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test3

 

 

4. Client -> www.test2.com/yyy -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test4

 

 

Client is using Citrix and we wanted to replace it with F5.

 

 

Many thanks

 

21 REPLIES 21

nitass
F5 Employee
F5 Employee
Can a single VS handle multiple SSL Certificates and use iRule to determine which one to use?is sni feature usable?

 

 

sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication (SNI) feature

 

http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

jake_macabuag_4
Nimbostratus
Nimbostratus
thanks nitass. I will read the doc and see from there.

jake_macabuag_4
Nimbostratus
Nimbostratus
Hello! Additional requirement

 

 

can you help me how can I include an ip filter that only allows certain ip addresses to access the pool? Should I use matchlass? how to include it in the irule?

 

 

Many thanks

nitass
F5 Employee
F5 Employee
can you help me how can I include an ip filter that only allows certain ip addresses to access the pool? Should I use matchlass? how to include it in the irule? you should use "class" command.

 

 

e.g.

 

 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.14:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { if { not [class match -- [IP::client_addr] equals allow_ip_class] } { log local0. "[IP::client_addr]:[TCP::client_port] is rejected" reject } else { log local0. "[IP::client_addr]:[TCP::client_port] is accepted" } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class ltm data-group internal allow_ip_class { records { 192.168.206.33/32 { } } type ip } [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm Jan 14 14:24:29 ve11a info tmm[11170]: Rule /Common/myrule : 172.28.19.251:48999 is rejected Jan 14 14:24:36 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:54606 is accepted

jake_macabuag_4
Nimbostratus
Nimbostratus
Hi Nitass, Thanks for the quick reply. But how can I incorporate that with my previous HTTP iRUle? Basically, after doing a content switching, it will check if the client ip is allowed to access the pool before forewarding it. Else, it will be rejected.

 

 

is it possible to do nested IFs? Thanks for the support. just a newbie in iRules.

jake_macabuag_4
Nimbostratus
Nimbostratus
when HTTP_REQUEST {

 

case insensitive

 

if { [string tolower [HTTP::uri]] contains "opis" } {

 

pool OPIS_POOL

 

} elseif {[string tolower [HTTP::uri]] contains "reseller" } {

 

pool RESELLER_POOL

 

} else {

 

pool RESELLER_POOL

 

}

 

}

jake_macabuag_4
Nimbostratus
Nimbostratus
can you check if this will work???

 

 

when HTTP_REQUEST {

 

if { [string tolower [HTTP::uri]] contains "opis" } {

 

if { [class match [IP::client_addr] equals allowed_ip_1] } {

 

pool OPIS_POOL }

 

} elseif {[string tolower [HTTP::uri]] contains "reseller" } {

 

if { [class match [IP::client_addr] equals allowed_ip_2] } {

 

pool RESELLER_POOL }

 

}

 

}

nitass
F5 Employee
F5 Employee
But how can I incorporate that with my previous HTTP iRUle? Basically, after doing a content switching, it will check if the client ip is allowed to access the pool before forewarding it. Else, it will be rejected. CLIENT_ACCEPTED event is triggered before HTTP_REQUEST event. so, we can reject client ip address in CLIENT_ACCEPTED and select pool based on url in HTTP_REQUEST.

 

 

iRules Insight - HTTP Event Order by Jason

 

https://devcentral.f5.com/blogs/us/irules-insight-http-event-order

 

 

e.g.

 

 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.14:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl { context clientside } http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { log local0. "-" if { not [class match -- [IP::client_addr] equals allow_ip_class] } { log local0. "[IP::client_addr]:[TCP::client_port] is rejected" reject } else { log local0. "[IP::client_addr]:[TCP::client_port] is accepted" } } when HTTP_REQUEST { log local0. "-" case insensitive set uri [string tolower [HTTP::uri]] switch -glob $uri { "*opis*" { pool OPIS_POOL } "*reseller*" { pool RESELLER_POOL } default { pool RESELLER_POOL } } } when SERVER_CONNECTED { log local0. "-" log local0. "client [IP::client_addr]:[TCP::client_port] | uri $uri | pool [LB::server pool] | pool member [LB::server addr]:[LB::server port]" } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class ltm data-group internal allow_ip_class { records { 192.168.206.33/32 { } } type ip } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool OPIS_POOL ltm pool OPIS_POOL { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool RESELLER_POOL ltm pool RESELLER_POOL { members { 200.200.200.111:80 { address 200.200.200.111 } } } [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : 172.28.19.251:49004 is rejected Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55244 is accepted Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55244 | uri /opis/something | pool /Common/OPIS_POOL | pool member 200.200.200.101:80 Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55246 is accepted Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55246 | uri /reseller/something | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80 Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : - Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : 192.168.206.33:55247 is accepted Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : - Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : - Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : client 192.168.206.33:55247 | uri /somethingelse | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80

jake_macabuag_4
Nimbostratus
Nimbostratus
Many thanks!!!!

jake_macabuag_4
Nimbostratus
Nimbostratus
Thanks for the explanation and the sample irule. ill check on this and will try in lab.

 

 

Many thanks!!!!

jake_macabuag_4
Nimbostratus
Nimbostratus
Seems like we will encounter a problem. IP Filtering will be done on the POOL level and not on the VS.

 

1. There is a list of ip address that is allowed to access POOL_A and a different set of address for POOL_B and so on. Not limited to just one data group. Example

 

 

Data Group: Allowed_Pool_A = ip address A, B and C ---> Allowed to access OPIS POOL but not RESELLER POOL

 

Allowed_Pool_B = ip address X, Y and Z ---> Allowed to access RESELLER POOL but not OPIS POOL

 

 

If the ip is accepted on the first irule, it has no means to check if it is allowed to access the pool .

nitass
F5 Employee
F5 Employee
in that case, you can check client ip address in HTTP_REQUEST event instead of CLIENT_ACCEPTED similar to the irule you wrote.

jake_macabuag_4
Nimbostratus
Nimbostratus
ok will try both. many thanks

jake_macabuag_4
Nimbostratus
Nimbostratus
hi seems everything is working for now. Thanks for that. Is there a need to optimize the rule because it looks like quite slow. I am not sure if it has to do with the nested IFs. What is the purpose of the command RETURN?

 

 

Additional requirement 🙂

 

 

1. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirection

nitass
F5 Employee
F5 Employee
I am not sure if it has to do with the nested IFs.is this article helpful?

 

 

Comparing iRule Control Statements by Joe

 

https://devcentral.f5.com/tech-tips/articles/comparing-irule-control-statements

 

 

What is the purpose of the command RETURN? return Wiki

 

https://devcentral.f5.com/wiki/irules.return.ashx

 

 

1. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirectionyou can use HTTP::uri command.

 

HTTP::uri Wiki

 

https://devcentral.f5.com/wiki/iRules.HTTP__uri.ashx

 

 

e.g.

 

 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.14:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { if { [HTTP::uri] equals "/" } { HTTP::uri "/reseller" } } } [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 443 or port 80 -k /config/ssl/ssl.key/default.key New TCP connection 1: 172.28.19.251(49780) <-> 172.28.20.14(443) 1 1 1358684881.2414 (0.0197) C>S SSLv2 compatible client hello 1 2 1358684881.2414 (0.0000) S>CV3.1(81) Handshake 1 3 1358684881.2414 (0.0000) S>CV3.1(866) Handshake 1 4 1358684881.2414 (0.0000) S>CV3.1(4) Handshake 1 5 1358684881.2436 (0.0021) C>SV3.1(262) Handshake 1 6 1358684881.2436 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 7 1358684881.2436 (0.0000) C>SV3.1(36) Handshake 1 8 1358684881.2524 (0.0087) S>CV3.1(1) ChangeCipherSpec 1 9 1358684881.2524 (0.0000) S>CV3.1(36) Handshake 1 10 1358684881.2534 (0.0009) C>SV3.1(174) application_data --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: www.test.com --------------------------------------------------------------- New TCP connection 2: 200.200.200.13(16983) <-> 200.200.200.101(80) 1358684881.2555 (0.0016) C>S --------------------------------------------------------------- GET /reseller HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: www.test.com ---------------------------------------------------------------

jake_macabuag_4
Nimbostratus
Nimbostratus
1. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirection

 

 

when HTTP_REQUEST {

 

log local0. "in HTTP_REQUEST"

 

if { [HTTP::uri] equals "/"}{

 

HTTP::uri "/opis"

 

}

 

}

 

 

I tried using this but the browser will still show the complete url including the /opis. Is there a way not to show /opis on the browser? only www.test.com.ph

 

 

thanks

jake_macabuag_4
Nimbostratus
Nimbostratus
1. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirection

 

 

when HTTP_REQUEST {

 

log local0. "in HTTP_REQUEST"

 

if { [HTTP::uri] equals "/"}{

 

HTTP::uri "/reseller"

 

}

 

}

 

 

I tried using this but the browser will still show the complete url including the /reseller. Is there a way not to show /reseller on the browser? only www.test.com.ph

 

 

thanks

jake_macabuag_4
Nimbostratus
Nimbostratus
OR

 

the user will type in www.test.com.ph/reseller but the browser will just show www.test.com.ph

What_Lies_Bene1
Cirrostratus
Cirrostratus
Posted By jake macabuag on 01/21/2013 11:12 PM

 

OR

 

the user will type in www.test.com.ph/reseller but the browser will just show www.test.com.ph

That isn't possible really, you can't control the browser directly.

 

Regarding the iRule, it should work just fine but you'll probably find all the links returned by the server don't include what you want shown. That being the case you'll probably need to expand the iRule to accomodate all the possible paths that the server might return or use a Stream profile to rewrite the links in the server responses.

 

 

 

jake_macabuag_4
Nimbostratus
Nimbostratus
Thanks steve for your reply. Actually our customer has an existing Citrix netscaler and this is one thing that it does. We are just trying to show that F5 can do more aside from their existing configuration/setup. I'll just try to explore other sample irule and see if I can start from there.

 

 

many thanks

nitass
F5 Employee
F5 Employee
I tried using this but the browser will still show the complete url including the /opis. Is there a way not to show /opis on the browser? only www.test.com.ph i understand HTTP::uri is the right command. however, i think it does not work because it may have http redirection from web server which you might not notice. have you ever used http analayer tool such as httpwatch, httpfox? it would be helpful to see what is going on.

 

 

HttpFox

 

https://addons.mozilla.org/en-us/firefox/addon/httpfox/