Forum Discussion

Benoit_C_'s avatar
Jan 14, 2019

How to send traffic to a pool with pool members expecting HTTPS from another VS

Hello,

 

I have this LTM configuration: a 'standard' virtual server VS1 configured with client and server SSL profiles, and behind a pool P1 with members listening on / expecting requests to be made in HTTPS. It works fine :)

 

I received a request to be able to send traffic to this pool P1 (so with members expecting HTTPS) but from another 'standard' virtual server VS2. VS2 (which works fine) uses by default a pool P2 where servers expect HTTP, so only client SSL profile is configured here.

 

The idea is that when a specific path is in the URI, from VS2 I send traffic to pool members of VS1, so to P1.

 

So so, I wrote an Irule (applied on VS2) which parses the URL and sends the traffic to P1 when needed. But the problem I face then is that the traffic is sent in HTTP and not HTTPS. So handshake failure with P1 members, because they expect HTTPS.

 

For info, VS are on an internal segment (so no public IPs) and requests come from Internet. I tried other approaches on the Irule applied on VS2 (client/server SSL profile)

 

  • I'm using HTTP::redirect statement. It kind of works but does not please developpers.

     

  • I'm using the keyword 'virtual'. I've to dig further but so far on the client browser, I get a ERR_CONNECTION_RESET (i'm still looking for lost packets haha)

     

  • I'm looking in using a different trigger than HTTP_REQUEST, for example CLIENT_ACCEPTED, or CLIENTSSL_something or SERVERSSL_something. But I think well, it won't do the trick because the host/uri is only seen after the TLS handshake, when the HTTP header host is sent via the HTTP connect method. Am I right ?

I'm also looking in other profiles (Rewrite, HTTP) but I think they won't do the trick.

 

For info, I also have to play with headers but it's the easy part of the request :)

 

Any help, advise or magic piece of code will be appreciated. Thanks a lot in advance

 

Benoit

 

3 Replies

  • I forgot to mention, but I'm looking into forward SSL / SSL proxy profiles

     

  • Hello,

     

    to add some more fun, VS2 is in RD0 (default) and VS1 is in another RD :)

     

  • Hi Benoit C.,

    to access mixed HTTP and HTTPS pools through a unified Virtual Server you have to assign a Server-SSL-Profile to begin with, and then selectively disable the Server-Side-SSL negotiation for any plaintext pool you are going to access...

    when HTTP_REQUEST {
        switch -exact -- [HTTP::host] {
            "www.plaintext.com" {
                pool my_plaintext_pool_http80
                set disable_server_ssl 1
            } 
            "www.encrypted.com" {
                pool my_secure_pool_https443
                set disable_server_ssl 0
            } 
            default {
                HTTP::respond 502 content "Access Denied" "Content-Type" "text/text" "Connection" "close"
            }
        }
    }
    when SERVER_CONNECTED {
        if { $disable_server_ssl } then {
            SSL::disable serverside
        }   
    }
    

    Cheers, Kai