Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

iRule to choose SSL serverside Profile to use based on HTTP_REQUEST

Hi Folks,

I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example,

If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com

I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use.

here is my code thus far.

when HTTP_REQUEST {
    HTTP::header remove "Accept-Encoding"   

    switch [string tolower [HTTP::host]] {
        "abc.example.com" {
           ##Server ssl profile select goes here##
            pool abc_pool_https
        }
        "xyz.example.com" { 
            ##Server ssl profile select goes here##
        pool xyz_pool

    }
}
2
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Figured it out! Had to add a variable in the HTTP_REQUEST and add the event for SERVER_CONNECTED. See code below.

Hi Folks,

I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example,

If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com

I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use.

here is my code thus far.

when HTTP_REQUEST {
    HTTP::header remove "Accept-Encoding"   

    switch [string tolower [HTTP::host]] {
        "abc.example.com" {
           ##Server ssl profile select goes here##
            pool abc_pool_https
        }
        "xyz.example.com" { 
            set doSSL 1
        pool xyz_pool

    }
}
when SERVER_CONNECTED {
     if { $doSSL == 1 }{
       SSL::enable serverside
       SSL::profile serverssl-insecure-compatible
     }.

}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

can you do the same thing on the client side ?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

can you do the same thing on the client side ?

isn't sni usable?

sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication feature

http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is older but I wanted to ad my notes/comments because I just ran into this. Hope this helps someone out in the future.

I added a default ssl server profile to my VIP. Then updated my primary irule to initially disable the server side ssl for all sites and then renable it on the website that I needed it on.

when CLIENT_ACCEPTED {
SSL::disable serverside
}

when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
  site1.website.com { pool site1.website.com_pool }
  site2.website.com { pool site2.website.com_pool }
  SSLsite3.website.com { 
   SSL::enable serverside
   pool SSLsite3.website.com_pool 
   }
  site4.website.com { pool site4.website.com_pool }
 default { reject }
}
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can do easier since version 11.5 (feature is available in 11.4 but not working...) with Local traffic policies.

Rule 1:

  • Condition :
    • HTTP-host host site1.website.com
  • action :
    • forward pool site1.website.com_pool
    • serverssl disable

Rule 2:

  • Condition :
    • HTTP-host host site2.website.com
  • action :
    • forward pool site2.website.com_pool
    • serverssl disable

Rule 3 (SSL Site):

  • Condition :
    • HTTP-host host site3.website.com
  • action :
    • forward pool site3.website.com_pool
0
Comments on this Answer
Comment made 04-Oct-2016 by rowanboy2012 0

I realise this is an older post, however with F5 in Azure (with all the current limitations) becoming more prevalent I have encountered the need to select different serverSSL profiles based on the incoming URI. I found the below iRule works well in my lab environment (and could easily be adapted for selecting a serverSSL profile based on uri rather than just host):

when HTTP_REQUEST {
    #Grab host from HTTP headers
    set host [string tolower [HTTP::host]]
    #Switch used for conditional checking. Depending on values, SSL is enabled, pool is selected and doSSL variable is set
    switch -glob $host {
        "www.test.com" {
            set doSSL 0
            pool http_pool
        }
        "secure.test.com" {
            set doSSL 1
            SSL::enable serverside
            pool https_pool
        }
        "other.test.com" {
            set doSSL 2
            SSL::enable serverside
            pool https_pool
        }
        "*" {
            set doSSL 3
            SSL::enable serverside
            pool https_pool
    }
    }
}
when SERVER_CONNECTED {
    #doSSL variable is checked and SSL disabled or profile selected
    if {$doSSL == 0} {
        SSL::disable serverside
    } elseif {$doSSL == 1} {
        SSL::profile custom_serverssl
    } elseif {$doSSL == 2} {
        SSL::profile custom_serverssl2
    } elseif {$doSSL == 3} {
        SSL::profile serverssl
    }
}

I found the diagram in the following link particularly useful in getting this working: https://devcentral.f5.com/questions/irule-event-order-https-ssl-client-server-side

This iRule tests ok in 12.1.1 - no obvious error messages so far :)

Hope this helps someone!

Regards,

Rowanboy

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

thank you.... this post helped me.

0