For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Devlin_T_149357's avatar
Sep 01, 2017

Set Server SSL Profile Based on URI

Hi all

We have a need to set a specific Server SSL Profile based on the requested URI for a HTTPS VS. I have searched around and there appear to a number of example iRules that could/should do the trick but I seem to be failing.

I have concocted this little gem based on an almagamation on my findings, however, it does not seem to work:

when HTTP_REQUEST {
set uri [HTTP::uri]
}
when SERVER_CONNECTED {
  if {$uri equals "/uri1" } {
    SSL::profile SERVER-SSL-1
  }
elseif {$uri equals "/uri2" } {
    SSL::profile SERVER-SSL-2
  }
}

I feel I'm probably missing something fundamental here. Any clues would be really helpful.

I have applied the default Server SSL profile to the VS as I believe this is required for SSL profile switching.

Thank you.

1 Reply

  • Hi Devlin,

    you may take a look to the iRule I'm using to selectively change or even disable the Server SSL Profile for specific requests.

    when HTTP_REQUEST {
        if { [HTTP::uri] equals "/uri1" } then {
             Switch Server SSL Profile to "/Common/SERVER-SSL-1"
            set Pool_SSL_Profile "/Common/SERVER-SSL-1"
        } elseif { [HTTP::uri] equals "/uri2" } then {
             Switch Server SSL Profile to "/Common/SERVER-SSL-2"
            set Pool_SSL_Profile "/Common/SERVER-SSL-2"
        } elseif { [HTTP::uri] equals "/uri3" } then {
             Disabling Server SSL Profile
            set Pool_SSL_Profile ""
        }
    }
    when SERVER_CONNECTED {
    
        
          Handler for Server SSL Profile Selection
    
    
         if { $debug } { log -noname local0. "--- Entering \"Server SSL_Selector\" SERVER_CONNECTED iRule ---" }
         if { $debug } { log -noname local0. "+++ Entering Server SSL Profile Selection Handler +++" }
    
        if { [PROFILE::exists serverssl] } then {
    
             if { $debug } { log -noname local0. "The Virtual Server \"[virtual]\" has a Server SSL Profile assigned." }
    
            if { $Pool_SSL_Profile eq "" } then {
    
                 if { $debug } { log -noname local0. "The Request has no Server SSL Profile specified. Disabling the Server Side SSL Channel." }
    
                catch { SSL::disable serverside }
    
            } else {
    
                 if { $debug } { log -noname local0. "The Request has an Server SSL Profile specified. Changing the SSL Profile to \"$Pool_SSL_Profile\"." }
    
                if { [catch { SSL::profile $Pool_SSL_Profile }] } then {
    
                    log -noname local0. "!!!! Warning !!!! The Virtual Server \"[virtual]\" has selected the SSL profile \"$Pool_SSL_Profile\" but it does not exist. Disabling the Server Side SSL Channel. !!!! Warning !!!!"
    
                    catch { SSL::disable serverside }
    
                } else {
    
                     if { $debug } { log -noname local0. "Enabling the Server Side SSL Channel." }
    
                    catch { SSL::enable serverside }
    
                }
    
            }
    
        } else {
    
            log -noname local0. "!!!! Warning !!!! The Virtual Server \"[virtual]\" has no default SSL Server Profile assigned !!!! Warning !!!!"
    
        }
    
         if { $debug } { log -noname local0. "+++ Leaving SSL Profile Selection Handler +++" }
         if { $debug } { log -noname local0. "--- Leaving \"Server_SSL_Selector\" SERVER_CONNECTED iRule ---" }
    
    }
    

    Note: To use this iRule you have to assign a default Server SSL Profile to your Virtual Server (it could be a dummy profile). The reason for this is, that you can't change or assign a Server SSL Profiles if the Virtual Server don't have a default profile attached. Once the Virtual Server has a default Server SSL Profile configured, you could selectively disable the Server SSL Profile as needed by setting

    $Pool_SSL_Profile
    to an empty string.

    Cheers, Kai