Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Serverside https and http mixed connections

For one URI requests go to a https server (server ssl profile is on), for different URI requests should go to a http server (server ssl is off).

The problem comes up when first request goes to a https server and next request should go to a http server. Our ltm is wrongly trying to pass the request in the tcp session to https server, and after many seconds the request eventually goes as expected to a http server (when new clientside https session is set up). This causes long delays when loading some objects from a http server.

How can I force the ltm to route the request to a http server without delay ?

(Oneconnect profile is off, version 14.1.0.2)

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You may need to add an LB::detach command before changing the pool you are using. It is possible that the load balancing decision is being made before the HTTP_REQUEST event is triggering meaning that it will only change when another tcp connection comes in and the load balancing decision is re-evaluated.

1
Comments on this Answer
Comment made 1 week ago by Rico 784

I will run some tests when I am able and get back to you

0
Comment made 1 week ago by PiotrL 254

Rico, you are right; LB::detach seems to be a solution. I'll look into it tomorrow closely. Thanks

1
Comment made 1 week ago by Rico 784

It seems to be working as expected in my tests. Let me know how it goes for you.

If you have any more questions, I am sure I can help.

0
Comment made 1 week ago by PiotrL 254

Our tests confirmed your solution. Thanks again

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

How are you checking different URIs, are you using a policy or an iRule? Are you able to share your config?

0
Comments on this Answer
Comment made 1 week ago by PiotrL 254

I'm using an irule, it looks in short as follows

 when HTTP_REQUEST {
 set doSSL 0
    switch -glob [string tolower [HTTP::host]] {
        "hostA" {
            switch -glob [string tolower [HTTP::uri]] {
             "/aaaa/*" { pool aaaa-nossl_pool }
             "/bbbb/*" {
               set doSSL 1
               HTTP::header replace Host "hostname"
               pool bbbb-ssl_pool
               }
            }
         }
    }
}

when SERVER_CONNECTED {
    if { $doSSL == 0 } {
        SSL::disable serverside
    } elseif { $doSSL == 1 } {
        SSL::enable serverside
}
}
0
Comment made 1 week ago by Lee Sutcliffe 2773

Could you try the following iRule - I've added some logging, I'd be curious to know if the variable doSSL isn't being set for subsequent requests that do not require SSL. I've also removed SSL::enable - if you have a server ssl profile, this will be implied. I don't expect this to work but could you please post back the logs for the SSL and non-SSL URIs, that way we might have a better understanding of what's going on.

Thanks

when HTTP_REQUEST {
    set doSSL 0
    set uri [HTTP::uri]
    switch -glob [string tolower [HTTP::host]] {
        "hostA" {
            switch -glob [string tolower [HTTP::uri]] {
                 "/aaaa/*" { 
                    log local0. "will not use SSL, doSSL:$doSSL for uri: $uri"
                    pool aaaa-nossl_pool 
                }
                "/bbbb/*" {
                    set doSSL 1
                    log local0. "doSSL:$doSSL for uri: $uri"
                    HTTP::header replace Host "hostname"
                    pool bbbb-ssl_pool
                }
            }
        }
    }
}

when SERVER_CONNECTED {
    log local0. "doSSL set to $doSSL for uri: $uri"
    if {!$doSSL} {
        log local0. "disabling SSL for uri: $uri"
        SSL::disable serverside
    }
}
1
Comment made 1 week ago by PiotrL 254

As this is a working enviroment I can't make any changes right now, still after adding a log statement under /aaaa/, requests for /aaaa/ are logged as expected, still they are not directed to aaaa-nossl_pool at once, but directed to bbbb-ssl_pool in an open tcp connection.

So the problem is when client sends requests in one tcp connection (clientside connection).

0
Comment made 1 week ago by Lee Sutcliffe 2773

Are you sure that aaaa-nossl_pool is active and responding to a TCP 3 way handshake? SERVER_CONNECTED event is only initialted after the three way handshake is complete. Do you have a default pool applied to the virtual server?

0
Comment made 1 week ago by PiotrL 254

There is no default pool and aaaa-nossl_pool is active. Request for /aaaa/ is eventually routed to the aaaa-nossl_pool, but first or even second request is wrongly routed via open ssl serverside connection to bbbb-ssl_pool.

0
Comment made 1 week ago by Lee Sutcliffe 2773

You really need to add some logging in the SERVER_CONNECTED event when you have a suficient change window if you don't have a pre-prod environment where you can replicated the issue.

The fact it is selecting bbbb-ssl_pool suggests $doSSL is set to 1.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I always use a LTM policy. Everyting is workng fine there. Also with 14.1.0.2
So our setup: create a https virtual server with default server ssl profile and oneconnect enabled.
Add a LTM policy and create a rule with URI mapping, destination pool and serverssl disabled, if necessary. If you want, create a default rule for forwarding to your default pool, but thats not necessary.
We always add a default pool. Without, the virtual server has status unknown.
Thats it.
We are fresh on 14.1.0.2, but I don't see any trouble at the moment.

0
Comments on this Answer
Comment made 1 week ago by PiotrL 254

It sounds reasonable, I need to start using ltm policies ...

0