Forum Discussion

John_Lennon_457's avatar
John_Lennon_457
Icon for Nimbostratus rankNimbostratus
Nov 30, 2010

ProxyPass iRule and pools with both HTTP and HTTPS webservers

I'm using the ProxyPass v10 iRule that Kirk wrote to redirect to a pool based on URI. The webservers use HTTP except for one that requires HTTPS. All traffic comes in to a single host IP, same FQHN but I need to use a Reverse Proxy feature (I'm trying to replace Apache) to redirect based on URI to the correct pool, hence the need for the ProxyPass iRule.

 

 

I simplified the Data Group for simplicity, it would look like:

 

 

"/1" := "/1 PoolHTTP1",

 

"/2" := "/2 PoolHTTP2",

 

"/3" := "/3 PoolHTTP3",

 

"/4" := "/4 PoolHTTPS4",

 

 

My problem is with the last one, I don't know how to configure my VS and iRule to select HTTPS for the odd case, and keep HTTP for everything else.

 

 

The traffic flow would be:

 

 

users --HTTP--> LTM --HTTP--> PoolHTTP1-3

 

users --HTTP--> LTM --HTTPS--> PoolHTTPS4

 

 

In other words, users always connect to the same FQHN via HTTP, I need HTTP to the web servers in most cases and HTTPS for just one case.

 

 

Thank you in advance for your help.

 

application delivery
dev
devops
iRules

7 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 30, 2010
    Hi John,

     

     

    I haven't tested this functionality, but the ProxyPassV10 rule seems to support server side SSL using a datagroup named ProxyPassSSLProfiles:

     

     

    
 From: http://devcentral.f5.com/wiki/default.aspx/iRules/ProxyPassV10.html

 The following code will look up SSL profile rules from 
 the Data Group ProxyPassSSLProfiles" and apply 
 them. 
 
 The format of the entries in this list is as follows: 
 
   
 
 All entries are separated by spaces, and both items 
 are required.  The virtual server also will need to
 have any serverssl profile applied to it for this to work.

     

     

    Aaron
  • John_Lennon_457's avatar
    John_Lennon_457
    Icon for Nimbostratus rankNimbostratus
    Dec 01, 2010
    Aaron,

     

    my understanding is that ProxyPass can select a different SSL Server Profile with the feature you pointed out, but it still requires the Virtual Server to have a generic ssl profile applied.

     

     

    From the ProxyPass iRule:

     

     

    The virtual server also will need to

     

    have any serverssl profile applied to it for this to work.

     

     

    and

     

     

    log local0. "$log_prefix: ServerSSL profile must be defined on virtual server to enable server-side encryption!"

     

     

    Do you have any other suggestion on how I could solve my issue?

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 02, 2010
    Hi John,

    If you want to specify a server SSL profile in an iRule, there must be a (any) server SSL profile on the virtual server. The ProxyPass iRule does a lookup for the currently selected pool in the ProxyPassSSLProfiles datagroup. If a match is not found, then the server SSL profile is disabled using SSL::disable. So I think this should work for your scenario. 

    
   set profilename [findclass $pool ProxyPassSSLProfiles " "]

   if {$profilename eq ""} { 
      if { [PROFILE::exists serverssl] == 1} {
          Hide this command from the iRule parser (in case no serverssl profile is applied) 
         set disable "SSL::disable serverside" 
         catch {eval $disable}
      }
      return 
   }

    Aaron
  • Fabrizio_Chiava's avatar
    Fabrizio_Chiava
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2011
    Hi,

     

    I have a similar problem with ProxyPass v10. I need to rewrite:

     

     

    "http://external_hostname/" := "https://internal_hostname:443 pool_test_443"

     

     

    Is it possible to configure that?

     

     

    Thanks a lot.

     

    Ragards

     

    Fabrizio.

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 16, 2011
    Hi Fabrizio,

     

     

    That looks like something to start testing with. If you add a server SSL profile name to the end of the datagroup value, does it work? If not, can you enable debug logging and reply here with your datagroup contents and the debug logging from /var/log/ltm?

     

     

    Aaron
  • Fabrizio_Chiava's avatar
    Fabrizio_Chiava
    Icon for Nimbostratus rankNimbostratus
    Aug 17, 2011
    Hi Aaron,

     

    in first thanks for quick reply, I have to try it with profile ssl, I'll inform you asap.

     

     

    Thanks a lot

     

    Best regards

     

    Fabrizio.