Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL iRule on a non-SSL VIP??

This iRule inserts specific headers depending on whether the connection is HTTPS-AUTH (requiring a client certificate), HTTPS, or HTTP. I am able to apply this iRule to the HTTPS and HTTPS-AUTH VIPs just fine, and the headers are getting inserted correctly. However when I try to apply this iRule to an HTTP VIP, I get this error:

01070394:3: SSL::cipher in rule (iRule name) requires an associated SERVERSSL or CLIENTSSL profile on the virtual server (VIP Name).

It would be nice to have this iRule work for all three protocols since we would only have to manage one iRule across all VIPs. I've played around with adding empty client and server side profiles, but that somehow still tried to SSL-ize the traffic. Do I need to split the HTTP part out into its own iRule or do you know of a way to do get this to work with one iRule?

Thanks in advance!

when HTTP_REQUEST {
HTTP::header remove SSLSubject
HTTP::header remove SSLClientCert
HTTP::header remove SSLCipher
HTTP::header remove WebProtocol
HTTP::header remove ClientIP
HTTP::header replace ClientIP [IP::remote_addr]
if {[PROFILE::exists clientssl] == 1} {
HTTP::header replace SSLCipher [SSL::cipher name]:[SSL::cipher bits]-[SSL::cipher version]
if { [SSL::cert count] > 0} {
HTTP::header replace SSLSubject [b64encode [X509::subject [SSL::cert 0]]]
HTTP::header replace SSLClientCert [b64encode [SSL::cert 0]]
HTTP::header replace WebProtocol "HTTPS-auth"
}
else {
HTTP::header replace WebProtocol "HTTPS"
}
}
else
{
HTTP::header replace WebProtocol "HTTP"
}
}
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You can "hide" the SSL commands from the interpreter by stuffing them into variables, then eval'ing the vars, something like this:
   
when HTTP_REQUEST {
...
if {[PROFILE::exists clientssl] == 1} {
set cname "SSL::cipher name"
set cbits "SSL::cipher bits"
set cver "SSL::cipher version"
HTTP::header replace SSLCipher [eval $cname]:[eval $cbits]-[eval $cver]
...


HTH
/deb
0