For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ramr_261905's avatar
ramr_261905
Icon for Nimbostratus rankNimbostratus
May 05, 2016

How to configure a virtual server with serverssl profiles to talk to both HTTP and HTTPS backends?

In our F5 (version: 11.6.0) setup: 1. SSL is being terminated on the F5 end. 2. Connections on the serverside (to the backend pool) can be either HTTP or HTTPS. Each pool can contain backends tha...
BIG-IP
cloud
iRules
BinaryCanary_19's avatar
BinaryCanary_19
Historic F5 Account
May 06, 2016

You can use an irule with LB_SELECTED event. Obtain information about which pool was selected via the LB::server command. Then all you need to do is Disable server-SSL, or enable it depending on your logic.

 

I would suggest to attach a Oneconnect profile to the VIP for this kind of use case, so that load balancing checks are performed on every request (instead of once at the start of connection) due to the influence that http keepalive can have.

 

ramr_261905's avatar
ramr_261905
Icon for Nimbostratus rankNimbostratus
May 06, 2016
Thanks for the response @FKnuckles - yeah we would also need to do some "bookkeeping" on the pools to know when to do that. We programmatically add the pools/rules/profiles, so the serverssl profile is the sole indicator we have as of now that the backends "speaks" only HTTPS. One solution/suggestion we had was to create and update a new datagroup with all HOSTs that need HTTPS and based on an entry in that map, enable/disable SSL. Thx