Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

irule to a pool using SSL

What I am trying to achieve is to send traffic to a specific pool based on the uri. Which works fine on http, the issue I have is when I use the irule on https.

I have to assign an http profile to enable me to add an irule, when I add the standard http profile we have the site browses very slowly or gets connection time out. I am assuming I need a different setting in the profile or + ssl profile (server).

 

Does anyone have any info on what the settings should be in an http profile (to allow ssl to work) or pointers to it? (FYI - if I add the http profile with no irule it does not work - so it's not the irule).

 

thanks in advanced

 

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

When you say "my website returns HTTP not HTTPS", are you referring to redirects and document object references pointing to the http:// URL? If so, that's actually a pretty common issue when offloading SSL, and there are two things you can do about it:

  1. There's an option in the HTTP profile called "Redirect Rewrite". This option is designed to catch redirects from the server and rewrite the http:// in the Location header to https://. This only applies to redirect (ie. 30x) responses.

  2. An iRule and STREAM profile to catch all of the document object references in the HTTP payload. Apply a generic (empty) STREAM profile to the VIP and the following iRule:

    when HTTP_REQUEST {
        HTTP::header remove Accept-Encoding
        STREAM::disable
    }
    when HTTP_RESPONSE {
        if { [HTTP::header Content-Type] contains "text" } {
            STREAM::expression {@http://@https://@}
            STREAM::enable
        }
    }
    

A STREAM is basically like a regular expression evaluator, but in hardware, so it's super fast. The above will find any reference to the string http:// in the HTTP response paylaod and replace it with https://. You may need to be more explicit in your search/replace if you have strings that you don't want replaced.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Does it actually browse very slowly and or sometimes time out, or does it just not work when you add the HTTP profile? There could be several things amiss here:

1. If you need to re-encrypt traffic to the back end server and you don't have a server SSL profile applied, it's more than likely not going to work at all.
2. If you have a 443 virtual server pooling to 443 servers, with no SSL profiles (SSL pass through), then you cannot add an HTTP profile. In fact if you're not terminating the client side SSL then you cannot use an HTTP profile.
3. You said "the standard http profile we have". Does that mean you've modified the default HTTP profile? If so, what did you change?
4. It could be that the application uses absolute addressing and cannot handle the https:// namespace when it's listening on http://. You need to look at what the server is sending to the client. If it's sending references to http:// resources (redirects, page objects, etc.), which the client cannot access, then you'll need to make provisions for that.
0
Comments on this Answer
Comment made 1 month ago by sniffer 55

Hello Kevin,

i need to configure my VS on way that you mention in step1. Need to do ssl offload pull some info and based on that to check from witch source they are coming if that is matched i need to send to server also as HTTPS. I am using SSL Profile client for ssl offloading and that is working. I also configure SSL Profile Server but it is not working, when i check tcpdump between F5 and end server i don't see ssl handshake at all so i am missing something :( Do you have any ideas?

Of course, if i am not using ssl offloading and just forward traffic everything is working.

Thanks.

0
Comment made 1 month ago by Pete White

sniffer check that your pool member is configured and listening on port 443.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Excellent info there.. working through it now... here is some more info if it helps:
The http profile is the standard one - http - if this is enabled then the site times out
If I use a ssl server profile -

wom-default-serverssl

(and no http profile) it works fine, add the http profile and it stops.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Think I am getting closer:

https://devcentral.f5.com/community/group/aft/1172003/asg/52

this is pretty close, looks like I need to forward - but how do I do that based on the string in http:uri? What should I modify to make this irule a forward?

when HTTP_REQUEST {

set uri [string tolower [HTTP::uri]]

if { $uri starts_with "/abc" } {

pool W_APool_443

} else { pool W_BPool_443 }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I'm not sure that applies.

If you intend to decrypt the SSL on the client side, you need to apply a client SSL profile to the VIP. If you need to re-encrypt to the server, you need a server SSL profile applied to the VIP. If you intend to decrypt and then re-encrypt, then you need both client and server SSL profiles applied. If you're attempting to manage layer 7 (HTTP) data on an encrypted channel without first decrypting, then it will most certainly fail. You cannot see HTTP::uri in an HTTP_REQUEST event if you haven't applied a client SSL profile.

So, how is your VIP configured with respect to SSL encryption/decryption?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
"So, how is your VIP configured with respect to SSL encryption/decryption?" - are you talking about client and server profiles? If so, I have tried a combination of all the standard ones and they do not seem to work.

are there other settings for encryption/decryption?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thinking about it.. I'd need the cert on the f5 to be able to unencrypt. That's not on there...

I feel like my problem is that! Thanks for your time Kevin.. this stuff is all new to me (if that wasn't obvious)
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Let's step back and reassess.

Are clients contacting your virtual server on port 443 via HTTPS? If so you need a client SSL profile applied to the virtual server and 443 in the destination port of the virtual server.

Are the web servers behind the BIG-IP also listening on 443 (HTTPS)? If so you need a server SSL profile applied to the virtual server and the pool members should be configured with their respective IPs and port 443. If they are not HTTPS servers, then do NOT apply a server SSL profile.

At this point, and with no HTTP profile applied, you should be able to access your servers through the BIG-IP VIP. If that works, apply the generic HTTP profile without the iRule. If that works, apply the iRule.

Can you also post your iRule?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
"I'd need the cert on the f5 to be able to unencrypt"

Assuming you're referring to the client SSL profile, you can use the generic default certificate and key for now. You'll get a browser trust error, but you'll still be able to negotiate SSL.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Correct KS.. the BIG-IP is listening on 443 and forwards to 443. If I add client and server ssl profiles I get the trust error. The problem is these are public web sites being served so can not have trust issues :(

What I am trying to do is direct traffic to specific pools based on the uri. We have migrated part of the site to a new server, when we move it all then this will not be a problem as all traffic can be forwarded (saying that.. this has prompted me to seriously consider ssl offloading) and no uri check will happen.

this is my irule (all names changed to protect the innocent).. so if you hit www.mysite.com/abc you will go to one set of servers.. anything else you hit the originals.

when HTTP_REQUEST {

set uri [string tolower [HTTP::uri]]

if { $uri starts_with "/abc" } {

pool W_APool_443

} else { pool W_BPool_443 }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
So to summarize then, if you don't SSL offload, you can't apply an HTTP profile or use this iRule. If you do SSL ofload, you'll need to get the certificate and key from each web server behind the BIG-IP to stop the trust errors.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Posted By Kevin Stewart on 02/21/2013 08:34 AM
So to summarize then, if you don't SSL offload, you can't apply an HTTP profile or use this iRule. If you do SSL ofload, you'll need to get the certificate and key from each web server behind the BIG-IP to stop the trust errors.


A paragraph I was hoping to not see :) Tavm for the help.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi nastymatt,

Actually what Kevin is telling you is a good thing and not that difficult at all.

1. Export SSL Certificate from Server.
2. Import SSL Certificate into the LTM Certificate Store (Local Traffic -> SSL Certificates -> Import)
3. Create new SSL Profile (Local Traffic -> Profiles -> SSL -> Client) and assign the Certificate and Key that you imported.
4. Apply SSL Profile (Client) made in Step 3 to the Virtual Server, Apply SSL Profile (Server) to be the default "serverssl".
5. Apply an HTTP Profile (you could use the default if you wish)
6. Assign iRule to the Virtual Server.

This should solve your entire problem and allow your HTTPS Virtual Server to behave just like your HTTP Virtual Server with no SSL Certificate mismatch errors.

The biggest things to remember are:
1. You cannot use an iRule that uses HTTP Methods (when HTTP_REQUEST or when HTTP_RESPONSE) without an HTTP Profile assigned to the Virtual Server.
2. You cannot use an HTTP Profile on encrypted traffic, so if you need an iRule you need to at least Decrypt the traffic (SSL Profile (Client)).
3. If the downstream servers are expecting an secure session then you will need to apply a SSL Profile (Server). This tells the LTM that the downstream server wants to talk securely, so expect it.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Excellent details Michael. I will be putting this into practice next week.. so i might be back :)
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This was a very helpful stream of info.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is good information. I am new to F5 and have found the online info great but I need some help. I have setup SSL offloading but my website returns HTTP not HTTPS. Current version is 11.4.0. I imported my cert and key into SSL profile (client), created my pool using port 80 on the pool members, created my VS using port 443. I'm using the http profile. I am not familiar with iRules but maybe I need a redirect? When I ping I am hitting the vip.
Any assistance is appreciated. Thanks,

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Kevin,

Thank you so much. I was able to use the HTTP profile redirect/rewrite and that worked. I did try Option 2 but wasn't successful. I think I had details incorrect. I will work on that later. Patty

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Good Afternoon Guys. I am pretty new to F5 I have implemented SSL on weblogic 2 node cluster with OHS. I have F5 as load balancer. The URL: https://abc.xyz/BankingApp can be access by users. Everything is ok. I want to implement an iRule such that when users type: https://abc.xyz in their browser, they Load balancer can convert it to https://abc.xyz/BankingApp

In our previous http environment it was easy to do. But can't figure out how to do that with https request.

Thanks for your assistance in Advance.

Regards, Agbenya

0
Comments on this Answer
Comment made 1 month ago by Kevin Stewart

Does it matter that the client sees the URI?

when HTTP_REQUEST {
    if { [HTTP::uri] eq "/" } {
        HTTP::redirect "/BankingApp"
    }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you're redirecting within https, you could do something like this:

when HTTP_REQUEST {
    if { [HTTP::path] eq "/" } {
     HTTP::respond 301 Location "https://abc.xyz/BankingApp"   
    }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks for the feedback. I will implement and revert

0
Comments on this Answer
Comment made 1 month ago by Agbenya Adotey 2

Hi Guys, The suggested approaches did not yield the desired results.

Any other leads?

Regards, Agbenya

0
Comment made 1 month ago by Agbenya Adotey 2

Hi Kevin & wlopez, Actually your suggestions worked. It was my fault. Apologies.

very grateful

regards, Agbenya

0