Forum Discussion

Fabou_139732's avatar
Fabou_139732
Icon for Nimbostratus rankNimbostratus
Apr 22, 2016
Solved

Confusion on if to use SSL server profile with iRule or not

Hi   I am looking into implementing a standard VS where I will have the either of the following scenarios   1)Client come using http://url-one.com and the F5 talk to the real server as https://...
application delivery
iRules
LTM
  • Vernon_97235's avatar
    Vernon_97235
    Apr 22, 2016

    The scheme part of the URL is for the benefit of the user-agent only. That is, if you type http://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 80, and sends the following:

    GET / HTTP/1.1
Host: www.example.com

    Notice that the "http" part is nowhere to be found. On the other hand, if you type https://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 443, completes a TLS handshake, then sends exactly the same data as above. Again, the scheme ("https") is absent.

    As such, as long as the uri-query part (the path and query parameters) are unchanged between the client- and server-side, then there is no need to perform a rewrite. Furthermore, if the Host header is unchanged, then there is no need to change headers. As you say, you need only apply a server-side SSL profile for condition 1. And, as you say, you need to perform a Host header rewrite for condition 2. You can either use an iRule or you can use a Local Traffic Policy.

Vernon_97235's avatar
Vernon_97235
Historic F5 Account

The scheme part of the URL is for the benefit of the user-agent only. That is, if you type http://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 80, and sends the following:

GET / HTTP/1.1
Host: www.example.com

Notice that the "http" part is nowhere to be found. On the other hand, if you type https://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 443, completes a TLS handshake, then sends exactly the same data as above. Again, the scheme ("https") is absent.

As such, as long as the uri-query part (the path and query parameters) are unchanged between the client- and server-side, then there is no need to perform a rewrite. Furthermore, if the Host header is unchanged, then there is no need to change headers. As you say, you need only apply a server-side SSL profile for condition 1. And, as you say, you need to perform a Host header rewrite for condition 2. You can either use an iRule or you can use a Local Traffic Policy.

Fabou_139732's avatar
Fabou_139732
Icon for Nimbostratus rankNimbostratus
Apr 22, 2016
Thanks, I didn't know about Local Traffic Policy, I will have a look to it.