Forum Discussion

PacketHead_4009's avatar
PacketHead_4009
Icon for Nimbostratus rankNimbostratus
Nov 08, 2010

iRule with SSL Offloading Options?

Hello,

 

 

I need to know if there is an iRule out there that will do the following:

 

 

I have a VIP/site on the F5 https://mysite.com/pddusers and currently it is SSL only. We offload SSL on the F5 and run over port 80 to the back end servers.

 

 

We have a new application that runs on the same backend servers but listens on port 443/SSL. What we want to do is allow users who enter the url https://mysite.com/ittausers/proc to not offload the SSL on the F5 load balancers and to talk to the 443 IIS instance on the back end servers but still allow users to access https://mysite.com/pddusers via the normal SSL offloading method. Is this possible? It seems like I would need to process the iRule before it strips/decrypts the SSL.

 

 

Any help or info would be greatly appreciated.

 

 

Regards,

 

 

James

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 08, 2010
    In your post, you've specified HTTP links, are they actually HTTPS or do you use a rule to redirect HTTP to HTTPS? Your assumption is correct that you'll need to decrypt the request before processing the rule.

     

     

    What's your motivation for not wanting to terminate SSL at the F5 for the new application? You could configure an iRule that still sends requests for /ittausers/proc to the port 443 pool but that'd happen after the decryption was done.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 09, 2010
    Hi James,

     

     

    As Chris said, you'd have to decrypt the SSL in order to determine which URI the client was requesting. You could technically decrypt all of the clientside SSL and then re-encrypt specific serverside requests using the SSL::disable command. See the wiki page for some examples:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__disable

     

     

    Aaron