cancel
Showing results for 
Search instead for 
Did you mean: 

SSL over port 8080

carter91_13591
Nimbostratus
Nimbostratus
I have a web server that has two sites running on it. One on port 80, and the other on port 8080.

 

 

I have a 3 virtual servers created on the F5. One for port 80, one for port 8080, and another for 443.

 

 

On the one for port 80, I have an iRule attached, so when somebody types in http://servername.domain.com it redirects it automatically to https://servername.domain.com

 

 

It works quite well.

 

 

I need to get SSL working for the one on port 8080, and can't seem to figure it out. I tried using my originally iRule that just does a redirect to https: like I have for the site on port 80, and it didn't work. I created a 2nd iRule and just manually typed in the URL I wanted it to direct it to instead of the host value (https://servername.domain.com:8080)which didn't work either.

 

 

I can't seem to get the site running on port 8080 to work with SSL.

 

 

Any hints?

 

 

Just using the standard iRules for http to https redirects:

 

 

when HTTP_REQUEST {

 

HTTP::redirect https://[HTTP::host]

 

}

 

 

 

Also tried:

 

when HTTP_REQUEST {

 

HTTP::redirect https://servername.domain.com:8080

 

}

 

12 REPLIES 12

hoolio
Cirrostratus
Cirrostratus
Which port(s) do you want clients to connect to the VIP(s) on? Typically, you'd have an HTTP VIP running on port 80 and an HTTPS VIP running on port 443. And then which port(s) do you want LTM to send requests to the pool member(s) on for each VIP? The VIP port and client/server side SSL configuration is independent of the pool member(s) port(s). If you enable port translation on the VIP, LTM will translate the destination port when establishing a connection to the pool members to the port the pool member is defined on. LTM will decrypt SSL on the clientside connection if you add a client SSL profile to the VIP.

 

 

Aaron

carter91_13591
Nimbostratus
Nimbostratus
Yeah, we have set up similar ones in the past, and like you said originally, I had two VIPS, one listening on port 80, and the other on 443.

 

 

When a client would have a user type in http://servername.domain.com it would redirect them to https://servername.domain.com

 

 

Right now, I have the VIP working on port 8080, with the pool member listening on port 8080. If they type in http://servername.domain.com:8080 it connects, but I want this to be https://servername.domain.com:8080

 

 

So are you saying, I should delete that third VIP I have listening on port 8080 and create another one listening on port 443 and use the pool member that has the server listening on port 8080?

hoolio
Cirrostratus
Cirrostratus
If you want to have an HTTP VIP that redirects all requests to HTTPS you can create an HTTP VIP with an HTTP class or iRule which redirects to https://[HTTP::host][HTTP::uri]. You can then define an HTTP pool of servers on port 80 and/or 8080. Use this HTTP pool on an HTTPS VIP defined on port 443. Add a client SSL profile to the VIP and you should be set.

 

 

You don't need the 8080 VIP at all, unless you want clients to use :8080 in the URL's.

 

 

Aaron

Elias_O_16228
Nimbostratus
Nimbostratus
I know this thread is old but I have a similar situation but a little bit different. Hoping to pick on your brains.

 

 

Developers wanted to access SSL on port 9089 (non SSL port), a self signed cert generated on the server. This works without LTM thus: (https://10.10.10.10:9089).

 

 

I want to throw this through the LTM for load balancing purpose.

 

 

Then, I Created the pool and the following:

 

1. clientside SSL profile

 

2. Serverside SSL Profile

 

3. http VIP with clientside and serverside profiles enabled and http redirect to https but still not working. I know the redirect works because I use it for other connections and it's working just fine.

 

 

What could be causing this not to work.

 

 

Help needed.

 

 

Thanks

 

 

nitass
F5 Employee
F5 Employee
can you post the virtual server and pool configuration?

 

 

tmsh list ltm virtual (name)

 

tmsh list ltm pool (name)

Kevin_Stewart
F5 Employee
F5 Employee
Do you want to access the HTTPS application through the LTM with this port or with the standard 443? If the former, is there a chance that your http redirect does not include the port number? You would necessarily need to redirect to "https://[HTTP::host]:9089[HTTP::uri]". Otherwise you just need client and server SSL profiles, an HTTP profile, and a pool of servers listening on port 9089. Do you see anything unusual in the LTM logs?

Elias_O_16228
Nimbostratus
Nimbostratus
Do you want to access the HTTPS application through the LTM with this port or with the standard 443?

 

 

Want to access non SSL port 9089. Absolutely, the https does not have the port.

 

 

See output below:

 

 

ltm virtual HTTPS-TEST-Virtual-Server {

 

destination 10.10.10.10:9089

 

fallback-persistence source_addr

 

ip-protocol tcp

 

mask 255.255.255.255

 

persist {

 

cookie {

 

default yes

 

}

 

}

 

pool HTTPS-TEST-Pool

 

profiles {

 

Client_Profile {

 

context clientside

 

}

 

server_side_profile {

 

context serverside

 

}

 

http { }

 

tcp-lan-optimized {

 

context serverside

 

}

 

tcp-wan-optimized {

 

context clientside

 

}

 

}

 

rules {

 

redirect_irule

 

}

 

}

 

 

 

 

ltm pool HTTPS-TEST-Pool {

 

members {

 

9.9.9.9:9089 {

 

session monitor-enabled

 

}

 

9.9.9.10:9089 {

 

session monitor-enabled

 

}

 

}

 

monitor min 1 of { https }

 

}

 

 

------------------------

 

when HTTP_REQUEST {

 

Check if the client used an SSL cipher

 

if {not ([catch {SSL::cipher version} result]) && [string tolower $result] ne "none"}{

 

Client did use a cipher

 

log local0. "\$result: $result. Allowing encrypted request."

 

} else {

 

Client did not use a cipher

 

log local0. "\$result: $result. Redirecting unencrypted request. [HTTP::host][HTTP::uri]"

 

HTTP::respond 302 Location "https://[HTTP::host][HTTP::uri]"

 

}

 

}

 

Kevin_Stewart
F5 Employee
F5 Employee
I would do two things:

 

 

1. Re-enable your logging statements to see what is happening.

 

 

2. Modify your redirect to include the port: HTTP::respond 302 Location "https://[HTTP::host]:9089[HTTP::uri]" .

 

 

After you've done this, does it work if you go to HTTPS directly? I have to assume that your HTTP-to-HTTPS redirect won't work because you have a client SSL profile applied to the VIP. Having HTTP and HTTPS work on the same VIP with the same port is challenging, but there are ways around this. Lets start with basic functionality first and work from there. I would also remove the iRule for now and just make sure the HTTPS VIP is working.

 

Elias_O_16228
Nimbostratus
Nimbostratus
If I remove the irule which is the redirect that contains the port 9089. Maybe you thought I am using "traffic class". No traffic class.

 

 

I removed clientssl profile, it complains existence of irule. Removed irule and clientssl profile, no luck.

 

 

Just to reiterate: I want to access https://10.10.10.10:9089. This is working without LTM

nitass
F5 Employee
F5 Employee
Just to reiterate: I want to access https://10.10.10.10:9089. This is working without LTMisn't 10.10.10.10 virtual server address? why do you say it works without ltm??

 

 

If I remove the irule which is the redirect that contains the port 9089.i think you may not need the irule. have you ever tried not using it?

 

 

e.g.

 

ltm virtual HTTPS-TEST-Virtual-Server { destination 10.10.10.10:9089 fallback-persistence source_addr ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } pool HTTPS-TEST-Pool profiles { Client_Profile { context clientside } server_side_profile { context serverside } http { } tcp-lan-optimized { context serverside } tcp-wan-optimized { context clientside } } } ltm pool HTTPS-TEST-Pool { members { 9.9.9.9:9089 { session monitor-enabled } 9.9.9.10:9089 { session monitor-enabled } } monitor min 1 of { https } }

Elias_O_16228
Nimbostratus
Nimbostratus
Nitass,

 

It works with https://9.9.9.9:9089 directly from switch behind LTM.

 

 

I can curl -k https://9.9.9.9:9089 but get error when I curl the VIP 10.10.10.10 --- curl: (52) SSL Read: error: 00000000:lib(0) : reason(0), errno (104).

 

 

Tested with clientssl and serverssl without irule no show! Not sure it will work without the irule. A little search appears to indicate that irule is required in order to run SSL on non-default port 443. But I cannot get it to work for me.

 

 

Not given up because it's a requirement and the developers are on my neck.

 

 

Help!! Help!!

 

 

Elias_O_16228
Nimbostratus
Nimbostratus
It is working now without irule. Thanks all. My apologies for assumptions!

 

 

Root cause:

 

The Firewall guy (brain fagged me) did not allow port 9089...Dough!!!. It hit my nockle brain when I could not see anything on tcpdump...Hep!@ Hep!! hurray! The developers can get off my back now.

 

 

Thanks all.