What I am trying to achieve is to send traffic to a specific pool based on the uri. Which works fine on http, the issue I have is when I use the irule on https. I have to assign an http profile to enable me to add an irule, when I add the standard http profile we have the site browses very slowly or gets connection time out. I am assuming I need a different setting in the profile or + ssl profile (server). Does anyone have any info on what the settings should be in an http profile (to allow ssl to work) or pointers to it? (FYI - if I add the http profile with no irule it does not work - so it's not the irule). thanks in advanced

Does it actually browse very slowly and or sometimes time out, or does it just not work when you add the HTTP profile? There could be several things amiss here: 1. If you need to re-encrypt traffic to the back end server and you don't have a server SSL profile applied, it's more than likely not going to work at all. 2. If you have a 443 virtual server pooling to 443 servers, with no SSL profiles (SSL pass through), then you cannot add an HTTP profile. In fact if you're not terminating the client side SSL then you cannot use an HTTP profile. 3. You said "the standard http profile we have". Does that mean you've modified the default HTTP profile? If so, what did you change? 4. It could be that the application uses absolute addressing and cannot handle the https:// namespace when it's listening on http://. You need to look at what the server is sending to the client. If it's sending references to http:// resources (redirects, page objects, etc.), which the client cannot access, then you'll need to make provisions for that.

Excellent info there.. working through it now... here is some more info if it helps: The http profile is the standard one - http - if this is enabled then the site times out If I use a ssl server profile - wom-default-serverssl (and no http profile) it works fine, add the http profile and it stops.

Think I am getting closer: https://devcentral.f5.com/community/group/aft/1172003/asg/52 this is pretty close, looks like I need to forward - but how do I do that based on the string in http:uri? What should I modify to make this irule a forward? when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { $uri starts_with "/abc" } { pool W_APool_443 } else { pool W_BPool_443 } }

I'm not sure that applies. If you intend to decrypt the SSL on the client side, you need to apply a client SSL profile to the VIP. If you need to re-encrypt to the server, you need a server SSL profile applied to the VIP. If you intend to decrypt and then re-encrypt, then you need both client and server SSL profiles applied. If you're attempting to manage layer 7 (HTTP) data on an encrypted channel without first decrypting, then it will most certainly fail. You cannot see HTTP::uri in an HTTP_REQUEST event if you haven't applied a client SSL profile. So, how is your VIP configured with respect to SSL encryption/decryption?

"So, how is your VIP configured with respect to SSL encryption/decryption?" - are you talking about client and server profiles? If so, I have tried a combination of all the standard ones and they do not seem to work. are there other settings for encryption/decryption?

irule to a pool using SSL

21 Replies

nastymatt_11986
Nimbostratus
Feb 21, 2013
Posted By Kevin Stewart on 02/21/2013 08:34 AM

So to summarize then, if you don't SSL offload, you can't apply an HTTP profile or use this iRule. If you do SSL ofload, you'll need to get the certificate and key from each web server behind the BIG-IP to stop the trust errors.

A paragraph I was hoping to not see :) Tavm for the help.
Michael_Yates
Nimbostratus
Feb 21, 2013
Hi nastymatt,

Actually what Kevin is telling you is a good thing and not that difficult at all.

1. Export SSL Certificate from Server.

2. Import SSL Certificate into the LTM Certificate Store (Local Traffic -> SSL Certificates -> Import)

3. Create new SSL Profile (Local Traffic -> Profiles -> SSL -> Client) and assign the Certificate and Key that you imported.

4. Apply SSL Profile (Client) made in Step 3 to the Virtual Server, Apply SSL Profile (Server) to be the default "serverssl".

5. Apply an HTTP Profile (you could use the default if you wish)

6. Assign iRule to the Virtual Server.

This should solve your entire problem and allow your HTTPS Virtual Server to behave just like your HTTP Virtual Server with no SSL Certificate mismatch errors.

The biggest things to remember are:

1. You cannot use an iRule that uses HTTP Methods (when HTTP_REQUEST or when HTTP_RESPONSE) without an HTTP Profile assigned to the Virtual Server.

2. You cannot use an HTTP Profile on encrypted traffic, so if you need an iRule you need to at least Decrypt the traffic (SSL Profile (Client)).

3. If the downstream servers are expecting an secure session then you will need to apply a SSL Profile (Server). This tells the LTM that the downstream server wants to talk securely, so expect it.
nastymatt_11986
Nimbostratus
Feb 27, 2013
Excellent details Michael. I will be putting this into practice next week.. so i might be back :)
Brandon
Cirrostratus
Feb 07, 2014
This was a very helpful stream of info.
Patty_Cl_159208
Nimbostratus
Jul 24, 2014
This is good information. I am new to F5 and have found the online info great but I need some help. I have setup SSL offloading but my website returns HTTP not HTTPS. Current version is 11.4.0. I imported my cert and key into SSL profile (client), created my pool using port 80 on the pool members, created my VS using port 443. I'm using the http profile. I am not familiar with iRules but maybe I need a redirect? When I ping I am hitting the vip.

Any assistance is appreciated. Thanks,
Kevin_Stewart
Employee
Jul 24, 2014
When you say "my website returns HTTP not HTTPS", are you referring to redirects and document object references pointing to the http:// URL? If so, that's actually a pretty common issue when offloading SSL, and there are two things you can do about it:

There's an option in the HTTP profile called "Redirect Rewrite". This option is designed to catch redirects from the server and rewrite the http:// in the Location header to https://. This only applies to redirect (ie. 30x) responses.

An iRule and STREAM profile to catch all of the document object references in the HTTP payload. Apply a generic (empty) STREAM profile to the VIP and the following iRule:

when HTTP_REQUEST { HTTP::header remove Accept-Encoding STREAM::disable } when HTTP_RESPONSE { if { [HTTP::header Content-Type] contains "text" } { STREAM::expression {@http://@https://@} STREAM::enable } }

A STREAM is basically like a regular expression evaluator, but in hardware, so it's super fast. The above will find any reference to the string http:// in the HTTP response paylaod and replace it with https://. You may need to be more explicit in your search/replace if you have strings that you don't want replaced.
Patty_Cl_159208
Nimbostratus
Jul 24, 2014
Kevin,

Thank you so much. I was able to use the HTTP profile redirect/rewrite and that worked. I did try Option 2 but wasn't successful. I think I had details incorrect. I will work on that later. Patty

wlopez

Cirrocumulus

Feb 01, 2019

If you're redirecting within https, you could do something like this:

when HTTP_REQUEST {
    if { [HTTP::path] eq "/" } {
     HTTP::respond 301 Location "https://abc.xyz/BankingApp"   
    }
}

Agbenya_Adotey_
Nimbostratus
Feb 02, 2019
Thanks for the feedback. I will implement and revert
- Agbenya_Adotey_
  Nimbostratus
  Feb 04, 2019
  Hi Guys, The suggested approaches did not yield the desired results.
  
  Any other leads?
  
  Regards, Agbenya
- Agbenya_Adotey_
  Nimbostratus
  Feb 04, 2019
  Hi Kevin & wlopez, Actually your suggestions worked. It was my fault. Apologies.
  
  very grateful
  
  regards, Agbenya

Forum Discussion

irule to a pool using SSL

21 Replies

Recent Discussions

Enterprise Security best practices with F5 WAF

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

Related Content

iRules Heat Map - US Only

Assistance with iRule using port ranges

AS3 pool members using a list

decrypted tcpdump capture without using an iRule using tshark

use irule to sign data using sha256