cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

HTTP VIP to mixed HTTP/HTTPS endpoints using Policy?

JonathanH-UK
Nimbostratus
Nimbostratus

Hi All,

I'm trying to achieve something that seems really simple to me but I cannot figure out whether it's possible on an F5.

Using BIG IP version 15.0..1 I want to create a single VIP which receives unencrypted HTTP requests and uses a policy to redirect them to pools of services, some which use SSL and some which do not.

There's an option in the policy to set the server SSL profile which looks perfect at face value, but it needs to happen at Server Connect time whereas my condition based on the HTTP URL Path segment (e.g. begins with /app1) happens at 'Request Time' so the F5 considers this to be an invalid config.

As I'm using an HTTP Reverse proxy profile and the F5 is creating a new TCP connection for the forwarded requests is seems entirely technically feasible that it could be told to use an SSL Profile for some endpoints but I can only really find much more complicated examples with client SSL profiles and using SNI which is not relevent in my case.

If I create additional Standard VIPs and forward to those then I can control the SSL profile at that point but it completely defeats the object of trying to create a single consolidated VIP for a group of services 😞

 

Could anyone share an example or useful document with me please?

 

Just to summarise:

Standard VIP on single destination IP + Port - HTTP Profile with Reverse Proxy

No Client SSL - i.e. Clients connect using HTTP

Policy set to forward /app1 to pool-app1 and /app2 to pool-app2

 

Let's say App2 uses SSL so I want to apply the ssl_server SSL profile on the traffic forwarded to this service.

 

Thanks in advance for any advice.

4 REPLIES 4

SanjayP
MVP
MVP

You can write an iRule to disable http for /app2 request. Use HTTP::disable ​syntax.

JonathanH-UK
Nimbostratus
Nimbostratus

Thanks. I'll give this a go 🙂

Cool. Let us know how does it go

JonathanH-UK
Nimbostratus
Nimbostratus

Your tip inspired me a bit and made me look again at the Policy. Both me and a colleague had completely failed to notice that the rule actions include an option of 'Disable' with 'SSL Server Profile' on the context menu.

Such a simple solution after all that!

 

We try to avoid using iRules where possible as there's a percieved risk of causing performance problems but also because there are fewer people in our organisation who understand how to manage them.

 

Thanks again 😃

 

Here's what the working policy looks like: