https redirect iRule requirements

Question

Hello,&nbsp;
&nbsp;I beleive from reading the manuals and forums that if a request comes in as https (As intended) and I need to change the URI with an iRule and send it to a pool still as https, I must have a client SSL profile configured (at least, maybe a server as well).&nbsp;
&nbsp;I don't have direct access to the Big-IP, so I can't use old-fashioned trial and error.  Here are the issues I've experienced when trying to do this:&nbsp;
&nbsp;-Implementing an iRule on a virtual server requires an http profile
&nbsp;a. Most of our SSL requests are passthrough for load balancing to a pool only, therefore, no specific profile is set for these (and btw, they don't use port 443)
&nbsp;b. when the f5 engineer sets the profile to http to be able to add an iRule, all traffic on that virtual server essentially is blocked
&nbsp;c. I am guessing that (b) is caused because the http profile and iRule try to read the request content and find it encrypted and have no profile to decrypt???&nbsp;
&nbsp;Questions
&nbsp;1. Can I do this without encryption/decryption since I am only manipulating the request URL and not the content of the request/response?
&nbsp;2. If not do I need both a client SSL and server SSL profile (assuming that the message should reach the app server in the pool via https still - not terminating SSL)?
&nbsp;3. We've had a difficult time trying to get client/server SSL profiles configured in the past...What are the exact requirements? 
&nbsp;a. What kind of certificate does the client profile need?  
&nbsp;   Our client web browsers trust the Root CA, is that all that is required?  
&nbsp;b. What kind of certificate does the server profile need?  
&nbsp;    For the app servers, I generate a wildcard CSR for host.domain.com, the 
CA signs it, and I import it back.  I tried working with the f5 engineer 
and had him attempt in the past with no success.  Does he generate a 
wildcard CSR for *.domain.com so that it can be reused for multiple 
sites, or does it have to be specific?  Does it have to clone the cert of the app server since it is in a way pretending to be the app server?&nbsp;
&nbsp;Thanks in advance for your help!  Please let me know if any clarity is needed.&nbsp;
&nbsp;Brian&nbsp;

chris_miller · Answer

1. In order to see what the request URI is, you need to decrypt the request.  
&nbsp; 2. You'll need a clientSSL profile to decrypt the request and a serverSSL profile to re-encrypt it. 
&nbsp; 3A - You should be able to generate a cert request from the LTM and fulfill it from the Root CA. Simply change the key and cert within your ClientSSL profile and you should be set. 
&nbsp; 3B - Try simply using the default ServerSSL profile...that will usually work.

Forum Discussion

https redirect iRule requirements

1 Reply

Recent Discussions

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

Related Content

https to https redirection

iRule HTTPS to HTTPS redirection

irule required.

Simple HTTP::redirect iRule results in a reset

Redirect from Http to Https Not working