Server ssl profile and pools issue

Question

Hi all, 
&nbsp; First up, apologies in advance for the long posting, but I wanted to give as much detail as possible.  
&nbsp;  
&nbsp; This is the situation. I have been asked to make some changes to our BigIP so that when a user enters in a specific suffix on a URL that it will redirect them to another server, passing on the URI to that new server, but they want do not want the client to see the new URLs hostname, they want it to show our hostname, so it appears the content is running off our servers.  
&nbsp; i.e. user enters www.acme.com/exams and in the backend the bigip connects to www.notacme.com/exams but the URL displayed in the clients browser shows www.acme.com/exams 
&nbsp;  
&nbsp; So in this case a simple redirect would not work. 
&nbsp;  
&nbsp; Now I have done this in the past using pools. I’m not really sure if this is the best or correct way of doing this, but I create a pool with member(s) that point to the backend servers hosting that content and then in an iRule check for specific text in the URI and if it matches I then tell it to use that pool. This has worked well and was quite a simple and quick to setup.  So I thought it should ‘t be to hard to do for this new case.    
&nbsp;  
&nbsp; Now the main difference I have is that the connection between the BigIP and this new server must be over SSL and that the server is using self signed certificates. Now I have managed to install the CA key for the keys on the BigIP and I have setup a serverssl profile using those keys. So far so good. I then changed the configuration of the virtual web server to use both the client and server SSL profiles. This is what now happens 
&nbsp;  
&nbsp; 1. If I try to access the site all the non SSL pool connections fail.  
&nbsp; 2. The one pool connection using SSL to the remote server works. 
&nbsp;  
&nbsp; So it seems that setting the server SSL profile is a global in it’s scope. I thought there must be some way of telling the BigIP to use a specific server SSL profile for a specific pool. I did a search on the forums for this and I did come up with a hit or two which lead me to my current solutuin, and I must admit I don’t think it’s a particularyly good way although it works, so I would appreciate peoples thoughts on this and if there is a better way to do this. 
&nbsp; So this is what I have currently done.  
&nbsp;  
&nbsp; - On the configuration settings for the web server I have selected the server SSL Profile 
&nbsp; - In the iRule, for every URI test I do that uses a POOL where  connections to the members of those pools is not over ssl I have added a SSL::disable serverside directive. 
&nbsp; - The block of code that tests for the exams in the URI just does a pool “pool name” so it inherits the virtual web server server ssl profile. 
&nbsp; - At the end of the iRule I have a catch all that does a SSL::disable serverside followed by a pool “default pool”. 
&nbsp;  
&nbsp; Now this does work, but as you can see it’s not exactly neat.  
&nbsp; So although I have a solution, I would be interested to hear anyone else suggestions on how I should be doing this. 
&nbsp;  
&nbsp; Thanks in advance, 
&nbsp;  
&nbsp; Craig

hooleylist · Answer

Hi Craig, 
&nbsp;  
&nbsp; If you want to enable server SSL only for specific pools on a VIP, an iRule is necessary.  It sounds like you have a solution which is working for you using SSL::disable.  You can use SSL::profile PROFILE_NAME (Click here) to select a new SSL profile. 
&nbsp;  
&nbsp; If you want more specific feedback on your iRule, can you post the code? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

craigm_17826 · Answer

Hi Aaron, 
&nbsp;  
&nbsp; I did notice the SSL::profile "profile_name", and correct me here if I am wrong, but I think it's only permissible within Server_Connected and to be honest I couldn't quite work out how I could use it there. All my pool selections are done within HTTP_RESPONSE and ideally it would have been nice if I could have used it there, but it was not to be. 
&nbsp;  
&nbsp; Basically the iRule in question just does a lot of seperate URI checks for certain strings and depending on the what it finds it will use specific pools. Most of the other code in the iRule is for session persistance.  The reason why there are more than one pools is that not all of the content is served by WebSphere, although it could be, but our internal developers haven't got round to it, so certain content comes from IIS servers to Tomcat servers. So it's a bit of a dogs breakfast. I'll post some code extracts tomorrow when I'm at work, but in a nutshell it's like this 
&nbsp;  
&nbsp; if {[HTTP::URI] contains "/" }{ 
&nbsp;    pool "PoolName" 
&nbsp;    return 
&nbsp;  } 
&nbsp;  
&nbsp; I did think that I might have to go the route of using url re-writes but I thought using pools would be simpler for my situation.  
&nbsp;  
&nbsp; Regards 
&nbsp;  
&nbsp; Craig &nbsp;

hooleylist · Answer

I assume you mean HTTP_REQUEST for the pool selection?  You could either add logic to HTTP_REQUEST to choose the correct profile name based on whatever criteria you need to (and then select the server SSL profile in SERVER_CONNECTED), or you could check which pool was selected in SERVER_CONNECTED and then specify which server SSL profile to use. 
&nbsp;  
&nbsp; Aaron

craigm_17826 · Answer

Hi Aaron, 
&nbsp;  
&nbsp; ok, I've simplified it a bit now. The thing that threw me was that it seems that I have to have the server ssl profile defined in the properties of the virtal server or else the SSL::profile command seems to fail.  
&nbsp;  
&nbsp; Here is what I ended up with 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp; if { [string tolower [HTTP::uri]] contains "/exam-services" } { 
&nbsp;       pool "ExamServices" 
&nbsp;      return 0 
&nbsp;    } 
&nbsp; [other code] 
&nbsp;  
&nbsp; when SERVER_CONNECTED { 
&nbsp;   if { [string tolower [LB::server pool]] eq "examservices" } { 
&nbsp;    SSL::profile "ExamSevices" 
&nbsp;    } else { 
&nbsp;   SSL::disable serverside    
&nbsp;  } 
&nbsp; } 
&nbsp;  
&nbsp; and this seems to work. Still unsure if this is best practice though.  
&nbsp;  
&nbsp; Regards 
&nbsp;  
&nbsp; Craig

hooleylist · Answer

Hi Craig, 
&nbsp;  
&nbsp; From reading the SSL::profile wiki page, I think you need to have a server SSL profile enabled in order to select a different server SSL profile.  But I gather you can indeed select a different SSL profile than what's defined as the default server SSL profile.  If you're only using one server SSL profile and want to selectively disable that profile, you should be able to just call SSL::enable/SSL::disable to do this (without bothering with SSL::profile). 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Server ssl profile and pools issue

5 Replies

Recent Discussions

google-visualization-issues

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Server Profile SNI

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

pool members can't connect to another Virtual Server

IPv6 Virtual Server to IPv4 pools translation

Server Side Profile not show the certificate