Forum Discussion

Jason_Hook_4092's avatar
Jason_Hook_4092
Icon for Nimbostratus rankNimbostratus
Apr 12, 2010

Expose pool member in response

I would like to expose which pool member responded to the request for tracking within TrueSight in front of the VIP.

 

 

This is what I feel will work, but I'd like some feedback whether this is clean and if I can add this on to VIPs that already have iRules on them. I don't have much experience with multiple iRules on a VIP and would like to know if this would interfere with others.

 

 

LTM v10.0.1

 

 

 

when HTTP_RESPONSE {

 

Remove header if already existing to keep from getting dups

 

HTTP::header remove "serverIP"

 

Insert header with responding server IP

 

HTTP::header insert "serverIP" [IP::server_addr]

 

}

 

application delivery
dev
devops
iRules

19 Replies

Sort By
Show More
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 12, 2011
    Posted By Jason Hook on 01/12/2011 08:29 AM

     

    If you have the server defined to the pool on 443 but do not have a ServerSSL profile configured, the request gets dropped on the floor and you don't get a response. Without a ServerSSL profile the back-side of the VIP can't handle the SSL handshake to the server.

     

    That's where I was confused. What in the LTM's config is saying "if pool member is 443, you must connect to it over SSL?"
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jan 12, 2011

     

    Posted By Chris Miller on 01/12/2011 08:32 AM

     

     

    That's where I was confused. What in the LTM's config is saying "if pool member is 443, you must connect to it over SSL?"

     

    Nothing. Only specification of a serverssl profile will initiate an ssl handshake from the LTM.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 12, 2011
    Posted By Jason Rahm on 01/12/2011 08:40 AM

     

     

    Posted By Chris Miller on 01/12/2011 08:32 AM

     

     

    That's where I was confused. What in the LTM's config is saying "if pool member is 443, you must connect to it over SSL?"

     

    Nothing. Only specification of a serverssl profile will initiate an ssl handshake from the LTM.

     

    So would you expect pool members listening on 443 to accept clear text or would Apache/IIS not allow such a thing? It'd be the equivalent of saying "http://sample.com:443"
  • fujisen's avatar
    fujisen
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2011
    We have tons of HTTPS vip without Client SSL or even Server SSL but working fine, do you think these are working on clear text ? god help us..
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 12, 2011
    Posted By fujisen on 01/12/2011 08:47 AM

     

    We have tons of HTTPS vip without Client SSL or even Server SSL but working fine, do you think these are working on clear text ? god help us..

     

    In that case, the pool member is doing the SSL termination so it's SSL end-to-end. In the scenario we're discussing, LTM does the termination and sends cleartext to the pool member over 443.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jan 12, 2011
    What I'm saying is that there is nothing in LTM that commands you to use an serverssl profile on pool members listening on port 443. That is a well-accepted SSL port, but if you have a pool member listening on port 443 that is serving FTP, it wouldn't make much sense to try to speak ssl. Match the protocol to the server protocol, whatever that is. Many people obfuscate services by using non-standard ports.
  • Matt_Breedlove_'s avatar
    Matt_Breedlove_
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2011

     

    Related to exposing a pool member in response. So far the suggestion is to insert an HTTP header in the response.

     

     

    What about adding an html comment into the returned markup? Is there a clean way to do this without having to be concerned with re-chunking compatibility exactly much as I do now without it on v9 or v10?

     

     

    Basically a comment like this at the top of the page returned

     

     

     

     

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jan 25, 2011
    You could certainly add an HTML comment, though you would risk rechunking, certainly. This would also require that you're terminating SSL on the LTM as with the header, since you can't modify any SSL content inline without decrypting first.

     

     

    Colin