Forum Discussion

Dayton_Gray_103's avatar
Dayton_Gray_103
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011

Can one set an SSL Server Profile based on the pool member used?

I have a fairly convoluted scenario.

I am sending HTTP traffic to local web servers (using NAT) as well as to an internet facing address at another datacenter (using a SNAT pool). All addresses are ratio load balanced in the same pool and I am using a universal persistence profile to look for a cookie so that the connections will persist (as I need connections to the other datacenter to continue being sent there).

The above seems to work very well for the HTTP virtual server. I am however wondering how I can get this to work with the HTTPS virtual server. I need to somehow set an SSL Server profile to re-encrypt if the pool member used is that of the other datacenter IP address. The HTTPS virtual server is only using a client SSL profile (unencrypt) currently.

Does anyone know if this is a possibility given the above scenario? Here is the iRule that is being used with the universal persistence:


when HTTP_REQUEST {
    Check if there is a MYCOOKIE cookie
   if {[HTTP::cookie "MYCOOKIE"] ne ""}{
       Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
      persist uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
   }
}
when HTTP_RESPONSE {
    Check if there is a MYCOOKIE cookie in the response
   if {[HTTP::cookie "MYCOOKIE"] ne ""} {
       Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
      persist add uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
   }
}

Thanks!!

application delivery
dev
devops
iRules

4 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 16, 2011
    is this applicable? 

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.65.152:https
   ip protocol tcp
   rules myrule
   profiles {
      clientssl {
         clientside
      }
      http {}
      serverssl {
         serverside
      }
      tcp {}
   }
}
[root@ve1023:Active] config  b pool foo list
pool foo {
   members {
      200.200.200.101:http {}
      200.200.200.102:https {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when LB_SELECTED {
        if {[LB::server port] equals "80"}{
                SSL::disable serverside
        }
}
when HTTP_RESPONSE {
        log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::remote_addr]:[TCP::remote_port]"
}
}

[root@ve1023:Active] config  curl -Ik https://172.28.65.152
HTTP/1.1 200 OK
Date: Wed, 16 Nov 2011 06:46:27 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 08 Nov 2011 12:26:29 GMT
ETag: "4183f1-30-47e02740"
Accept-Ranges: bytes
Content-Length: 48
Connection: close
Content-Type: text/html; charset=UTF-8

[root@ve1023:Active] config  
Nov 15 22:46:36 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50401 -> 200.200.200.102:443

[root@ve1023:Active] config  curl -Ik https://172.28.65.152
HTTP/1.1 200 OK
Date: Wed, 16 Nov 2011 06:46:53 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Connection: close
Content-Type: text/html; charset=UTF-8

[root@ve1023:Active] config  
Nov 15 22:46:39 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50402 -> 200.200.200.101:80
  • Dayton_Gray_103's avatar
    Dayton_Gray_103
    Icon for Nimbostratus rankNimbostratus
    Nov 16, 2011
    It is a bit different than that. I am hoping to be able to set a server ssl profile for the virtual server when traffic is destined to one of the pool members. This will reencrypt the traffic back out to that member. The virtual server is set to only using a client ssl profile (desired behavior for the other pool members).

     

     

    The solution I'm looking for is really to split a portion of traffic to another datacenter seemlessly. Sort of like a poor mans datacenter load balancer but without using DNS.
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Nov 16, 2011
    Hi Dayton,

     

     

    You stated " I need to somehow set an SSL Server profile to re-encrypt if the pool member used is that of the other datacenter IP address. The HTTPS virtual server is only using a client SSL profile (unencrypt) currently."

     

     

    I have done something similar, but what I was working on was encrypting traffic to a specific pool of servers on an HTTP Virtual Server, which is very similar to what you are doing because your configuration is SSL Offload.

     

     

    First, you will need to assign the SSL Profile (Server) to something (either the default "serverssl" or the one that you want to use specifically for this traffic, either way, set it to something). It does not matter because you will be disabling the SSL Profile first thing anyway (so that the rest of the Virtual Server still acts as if it is SSL Offloaded).

     

     

    Write the rest of your iRule routing to this special set of servers as normal (because later in your iRule (the SERVER_CONNETED Event) you will list the conditions to Enable the SSL Profile, and at the same time you can choose the SSL Profile in the same event.

     

     

    Try integrating the following:

     

     

    
when CLIENT_ACCEPTED {
        I want the Virtual Server to be SSL Offload unless it needs to be encrypted to the Server.
        SSL::disable serverside
}
when SERVER_CONNECTED {
        if { ([string tolower [LB::server pool]] eq The.Special.SSL.Pool ) } {
                SSL::enable serverside
        }
        else {
                Insurance to make sure that if it is enabled anywhere else that it is disabled.
                SSL::disable serverside
        }
}

     

     

    In the above code I triggered it on the Pool Name, but you can easily change this to [LB::server addr] and list the Server IP Address to trigger the SSL Profile Enable.

     

     

    Hope this helps.
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    Nov 16, 2011
    Are you wanting to use different serverssl profiles, or just sometimes reencrypt and sometimes not. If the former, use SSL::profile in SERVER_CONNECTED. If the latter, attach the profile to the vip and then use SSL::disable in SERVER_CONNECTED if you don't need to reencrypt.