Trying to create an iRule to serve multiple http and https pools based off of a single VIP

Most likely a certificate or rather a Client SSL profile issue. I would just create two VIP's with the same IP on port 80 and 443, then split the irule between them...

Hi kona2-9,

 

 

The "testa.org" and testb.org" should be in the [HTTP::host] value, not the [HTTP::uri].

 

 

Example: http://www.website.com/foo/bar/index.html

 

 

HTTP:host value: www.webiste.com

 

HTTP::uri value: /foo/bar/index.html

 

 

Try updating your iRule and see if it starts to work properly.

 

 

Hope this helps.

When SSL traffic comes into the Virtual the HTTP_REQUEST will never be hit unless you have a clientssl profile enabled on the VIP. If you do not then the VIP is resetting all the SSL traffic as it is not HTTP traffic. To get around this you need to have a virtual that has a SSL profile. With version 11 you can have multiple ClientSSL profiles attached to the VIP with SNI. With this the client sends in the client Hello what cert it is expecting to see, the LTM will read that and return the correct SSL cert unless it profile is not attach to the VIP then it will return the default profile. Hope that help fix the SSL issue.

 

Yes, it's your use of HTTP_REQUEST here that's the issue. That's not available in an SSL session that the LTM isn't offloading. The thing you want to do in SSL is called "Server Name Indication" and v11 includes tools to support this (although please note that if you expect any Windows XP users, they won't be able to use SNI).

 

 

At a bare minimum, you probably need to split these sites into multiple VIPs if you can spare the IP addresses and can control the DNS hostnames.

Sorry for the long reply but what i have done is split the VIP and based on port. VIP::80 works after following mr. Yates suggestions. I am now having problems getting my SSL portion to work. I have VIP::443 setup and ssl profile (client) set to clientssl, I am running version BIG-IP 9.2.3 Build 34.3. I can browse directly to https://www.testa.org and page is displayed. but when i point my host file to use the VIP for www.testa.org i get a reset.

 

 

I am have found this link and wonder if anyone thinks this may work for what i am trying to do?

 

https://devcentral.f5.com/wiki/iRules.HttpHttpsSingleVirtualServer.ashx

 

If you are seeing a reset and are useing a iRule check /var/log/ltm. When a iRule has a error the LTM will reset the connection, the logs will tell you what happen.

 

If you are communicating to your pool members via SSL, you must have a serverssl profile assigned also. So, you should have both clientssl and serverssl profiles assigned.

Hi kona2-9,

I agree with Joel’s suggestion of splitting your HTTP and HTTPS Traffic onto separate Virtual Servers (on for 80 and one for 443).

On your HTTP Virtual Server you do not need any SSL Profiles. On your HTTPS Virtual Server you will need an SSL Profile (Client) at a minimum. If you have an SSL Certificate installed on the Web Server then you will also need to enable the SSL Profile (Server) as well to re-encrypt the traffic between the LTM and the Web Server.

If you follow the suggestion of using two Virtual Servers and you want to maintain the logic in a single iRule that could be applied to both the HTTP and HTTPS Virtual Server you could do something like this, or separate the logic into two simpler iRules (one for HTTP and one for HTTPS).

when HTTP_REQUEST {
switch [TCP::server_port] {
"80" {
switch -glob [string tolower [HTTP::host]] {
"*testa.org" { pool testa.org }
"*testb.org" { pool testb.org }
}
}
"443" {
switch -glob [string tolower [HTTP::host]] {
"*testa.org" { pool testa.org-ssl }
"*testb.org" { pool testb.org-ssl }
}
}
}
}

Hope this helps.

I have decided to split the iRule in to two parts and config is below. HTTP traffic is working with no problems. HTTPS on the other hand, fails with a 400 error if only clientssl profile is selected. If bot ssl proviles serverssl and clientssl are selected i get a reset. Does anyone know if there is a way for me to use the servername portion of the client hello packet? I am not sure if the http::host might not be getting hit. Also, on a side note if I https directly to the server i do get the correct page.

 

 

 

test-port80

 

10.102.27.237:80

 

http profile: http

 

irule : test-vip-80

 

 

when HTTP_REQUEST {

 

switch [TCP::server_port] {

 

"80" {

 

switch -glob [string tolower [HTTP::host]] {

 

"*testa.org" { pool testa.org }

 

"*testb.org" { pool testb.org }

 

}

 

}

 

}

 

}

 

 

============================================================

 

test-port443

 

10.102.27.237:443

 

http profile: http

 

clientssl

 

irule : test-vip-443

 

 

when HTTP_REQUEST {

 

switch [TCP::server_port] {

 

"443" {

 

switch -glob [string tolower [HTTP::host]] {

 

"*testa.org" { pool testa.org-ssl }

 

"*testb.org" { pool testb.org-ssl }

 

}

 

}

 

}

 

}