Forum Discussion

Alex1's avatar
Alex1
Icon for Nimbostratus rankNimbostratus
Sep 15, 2022
Solved

iRule sideband using HTTP/2

All examples I have seen with iRules using 'connect' to generate a sideband connection use HTTP/1.0 or HTTP/1.1

I am wondering if anyone has examples of, or knows how iRule sideband connections can be made using HTTP/2?

I expect this to cause problems because HTTP/2 content is binary encoded which the iRule would then have to handle. 

To use SSL the normal approach is to call a helper VS from the iRule - so iRule to helper VS is local to LTM and unencrypted, then helper VS to remote server (pool member) is encrypted.  So the in built F5 VS profile setup is taking care of the work for SSL.  If there was a way to have HTTP/1.1 on the clientside and HTTP/2 on the serverside of such a helper VS that would do a similar task for HTTP, but as far as I can see the options are either to have HTTP/2 on both sides, or the clientside HTTP/2 and the serverside HTTP/1.1

  • You would indeed use a helper VIP here to do a sideband call. The trick is, the HTTP2 profiles require client and server SSL and client and server HTTP2 profiles. But you can get around that.

    • Configure your helper VIP accordingly
      • HTTP profile
      • Client SSL profile with Renegotiation disabled
      • Server SSL profile with Regenotiation disabled
      • HTTP2 client profile (under Acceleration)
      • HTTP2 server profile
      • VLAN: listening on none
      • Pool to resource
    • Add the following iRule to the help VIP:
    when CLIENT_ACCEPTED {
        SSL::disable clientside
        HTTP2::disable
    }

    So then traffic should come to the VIP unencrypted, the iRule will disable clientside SSL and HTTP2, then encrypt with HTTP2 to the server.

3 Replies

  • You would indeed use a helper VIP here to do a sideband call. The trick is, the HTTP2 profiles require client and server SSL and client and server HTTP2 profiles. But you can get around that.

    • Configure your helper VIP accordingly
      • HTTP profile
      • Client SSL profile with Renegotiation disabled
      • Server SSL profile with Regenotiation disabled
      • HTTP2 client profile (under Acceleration)
      • HTTP2 server profile
      • VLAN: listening on none
      • Pool to resource
    • Add the following iRule to the help VIP:
    when CLIENT_ACCEPTED {
        SSL::disable clientside
        HTTP2::disable
    }

    So then traffic should come to the VIP unencrypted, the iRule will disable clientside SSL and HTTP2, then encrypt with HTTP2 to the server.

    • Alex1's avatar
      Alex1
      Icon for Nimbostratus rankNimbostratus

      Excellent, thank you!!

      I've marked your response as accepted because it covers off what I asked exactly.

      It does raise another question which I can maybe find the answer to within online documentation, but I suspect you may just know the answer if you don't mind…..

      For the helper VS - I've seen that you can set any destination IP and port really, plus you mentioned setting the VLAN to none which is a good point thank you.  I assume the F5 uses some internal process to ‘reach’ the VS rather than traditional routing?

      I am therefore wondering are there any limitations around sending traffic to the same helper VS from multiple iRules?  I expect to have a very similar iRule assigned to different VSes that will all need to make the same sideband call – note that these VSes will be in different traffic groups from each other, just to give them separate session caches (use HA pair but should always be active/standby not active/active).

      Can each iRule use the same helper VS (i.e. single helper VS being ‘called’ by multiple iRules), or does the way that the traffic is passed using an internal mechanism mean there is a requirement for a 1-1 mapping between main VS (iRule) and helper VS?

      If multiple VSes (iRules) can use the same helper VS then is that still true, or advisable, in my case where the different main VSes (iRules) will operate in different traffic groups?  Even if the iRules can ‘share’ a helper VS I am currently thinking I may be better using a 1-1 mapping with each VS (iRule) having its ‘own’ helper VS – having each helper VS in the same traffic group as its corresponding main VS, just in case a problem ever arose and the devices went active/active – i.e. so that each helper VS would ‘move’ with the corresponding main VS.

  • The preferred method of instantiating a sideband connection is by calling the virtual server name directly, instead of an IP:port.

    https://clouddocs.f5.com/api/irules/connect.html

    So then this is basically the same internal mechanism that VIP targeting uses. There's no 1-1 relationship between sideband and sideband caller, so you're free to call this VIP from any iRule.