Forum Discussion

Frank_Misak_116's avatar
Frank_Misak_116
Icon for Nimbostratus rankNimbostratus
May 22, 2013

iRule and/or SSL profile?

I am very new to F5 and am having difficulty figuring out how to configure an application to work in the manner below. Does this require an iRule and editing a server ssl profile? I really don't know where to start here.

 

 

Logic flow and info.

 

IF request coming in is http needs redirect to https

 

If the URL contains WEB1.whatever.com/komws it should use the NEW_WEB1_pool

 

If the URL does not end in /komws, use the WEB1_pool

 

WEB1_pool

 

Terminate SSL at the F5 using wildcard cert

 

Forward to pool using http (80)

 

NEW_WEB1_pool

 

Terminate SSL at the F5 using server cert

 

Use source IP affinity

 

Forward to pool using https (443)

 

 

 

I have both the wildcard certificate (for the WEB1_pool) and the server certificate (for the NEW_WEB1_pool) loaded onto the F5. Currently we are just doing SSL pass-thru to a single pool which works fine, however we need to split this out into two pools functioning as indicated above. I'm lost.

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 22, 2013
    First things first, create TWO VIPs:

    1. A port 80 (HTTP) VIP with nothing in it but an HTTP profile and the _sys_https_redirect iRule. This will cause all requests to HTTP:// to be immediately redirected to the HTTPS VIP.

    2. A port 443 (HTTPS) VIP that accepts requests to your application/pools.

    Now, you cannot make a layer 6 decision (which client SSL profile to use) based on a layer 7 characteristic such as the URI. You can, however, switch profiles based on the server name using SNI (Server Name Indicator), an extension of the TLS protocol.

    Aside from that, apply a server SSL profile to the HTTPS VIP and use an iRule like this: 

    
when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] starts_with "/komws" } {
         send to NEW_WEB1_pool
        pool NEW_WEB1_pool
        persist source_addr 255.255.255.0 0
    } else {
         send to WEB1_pool and disable the server SSL profile
        SSL::disable serverside
        pool WEB1_pool
    }
}

    Question: how did you want to do persistence for the port 80 traffic?
  • Frank_Misak_116's avatar
    Frank_Misak_116
    Icon for Nimbostratus rankNimbostratus
    May 23, 2013

    Thanks for the reply. We already have a redirect in place, but not sure it's the way you recommended. Below are the pieces of the configuration (scrubbed of course) as it is now. I'm not sure how to incorporate what you recommend into what is already in place? Appreciate any and all help.

     

     

    ltm pool /DMZ/WEB1.app/WEB1_pool {

     

    app-service /DMZ/WEB1.app/WEB1

     

    load-balancing-mode least-connections-node

     

    members {

     

    /DMZ/10.1.1.137:443 {

     

    address 10.1.1.137

     

    app-service /DMZ/WEB1.app/WEB1

     

    }

     

    /DMZ/10.1.1.138:443 {

     

    address 10.1.1.138

     

    app-service /DMZ/WEB1.app/WEB1

     

    }

     

    }

     

    monitor /DMZ/WEB1_https_monitor

     

    slow-ramp-time 300

     

     

    ltm rule /DMZ/WEB1_redir {

     

    when HTTP_REQUEST {

     

    switch -glob [string tolower [HTTP::uri]] {

     

    "/contracts" { HTTP::redirect "https://WEB1.whatever.com/contracts" }

     

    "/ppl" { HTTP::redirect "https://WEB1.whatever.com/ppl" }

     

    "/komws" { HTTP::redirect "https://WEB1.whatever.com/komws" }

     

    default { HTTP::redirect "https://WEB1.whatever.com/kom" }

     

    }

     

    }

     

    }

     

    ltm rule /DMZ/WEB1_sorry {

     

    when HTTP_REQUEST {

     

    if {[active_members WEB1_pool] < 1}{

     

    HTTP::redirect http://www2.whatever.com/kiosk/maintenance } }

     

    }

     

    ltm virtual /DMZ/WEB1.app/WEB1_http_virtual {

     

    app-service /DMZ/WEB1.app/WEB1

     

    destination /DMZ/10.2.2.176:80

     

    ip-protocol tcp

     

    mask 255.255.255.255

     

    profiles {

     

    /DMZ/WEB1.app/WEB1_http_profile { }

     

    /DMZ/WEB1.app/WEB1_lan-optimized_tcp_profile {

     

    context serverside

     

    }

     

    /DMZ/WEB1.app/WEB1_wan-optimized_tcp_profile {

     

    context clientside

     

    }

     

    }

     

    rules {

     

    /DMZ/WEB1_redir

     

    }

     

    translate-address enabled

     

    translate-port enabled

     

    vlans-disabled

     

    }

     

    ltm virtual /DMZ/WEB1.app/WEB1_https_virtual {

     

    app-service /DMZ/WEB1.app/WEB1

     

    destination /DMZ/10.2.2.176:443

     

    ip-protocol tcp

     

    mask 255.255.255.255

     

    persist {

     

    /Common/source_addr {

     

    default yes

     

    }

     

    }

     

    pool /DMZ/WEB1.app/WEB1_pool

     

    profiles {

     

    /Common/fastL4 { }

     

    }

     

    translate-address enabled

     

    translate-port enabled

     

    vlans-disabled

     

     

    ltm monitor https /DMZ/WEB1_https_monitor {

     

    cipherlist DEFAULT:+SHA:+3DES:+kEDH

     

    compatibility enabled

     

    defaults-from /Common/https

     

    destination *:*

     

    interval 30

     

    password password

     

    recv "Application Health = GOOD"

     

    send "GET /mah/Default.aspx HTTP/1.1\\r\\nHost: WEB1.whatever.com\\r\\nConnection: Close\\r\\n\\r\\n"

     

    time-until-up 0

     

    timeout 91

     

    username uid=username,ou=administration,dc=whatever,dc=com

     

    }

     

     

    ltm persistence cookie /DMZ/WEB1.app/WEB1_cookie_persistence_profile {

     

    app-service /DMZ/WEB1.app/WEB1

     

     

    ltm profile client-ssl /DMZ/WEB1.app/WEB1_clientssl {

     

    app-service /DMZ/WEB1.app/WEB1

     

    cert /Common/ABC-Wildcard-Cert.crt

     

    defaults-from /Common/clientssl

     

    key /Common/ABC-Wildcard-Key.key

     

     

    ltm profile http /DMZ/WEB1.app/WEB1_http_profile {

     

    app-service /DMZ/WEB1.app/WEB1

     

    defaults-from /Common/http

     

    redirect-rewrite matching

     

     

    ltm profile http-compression /DMZ/WEB1.app/WEB1_wan-optimized-compression_profile {

     

    app-service /DMZ/WEB1.app/WEB1

     

    content-type-include { text/ application/vnd.ms-publisher "application/(xml|x-javascript|javascript|x-ecmascript|ecmascript)" "application/(word|doc|msword|winword|ms-word|x-word|x-msword|vnd.word|

     

    vnd.msword|vnd.ms-word)" "application/(xls|excel|msexcel|ms-excel|x-excel|x-xls|xmsexcel|x-ms-excel|vnd.excel|vnd.msexcel|vnd.ms-excel)" "application/(powerpoint|mspowerpoint|ms-powerpoint|x-powerpoint|x-

     

    mspowerpoint|vnd.powerpoint|vnd.mspowerpoint|vnd.ms-powerpoint|vnd.ms-pps)" "application/(mpp|msproject|x-msproject|x-ms-project|vnd.ms-project)" "application/(visio|x-visio|vnd.visio|vsd|x-vsd|x-vsd)"

     

    "application/(pdf|x-pdf|acrobat|vnd.pdf)" }

     

    defaults-from /Common/wan-optimized-compression

     

     

    ltm profile one-connect /DMZ/WEB1.app/WEB1_oneconnect {

     

    app-service /DMZ/WEB1.app/WEB1

     

    defaults-from /Common/oneconnect

     

    source-mask 255.255.255.255

     

     

    ltm profile tcp /DMZ/WEB1.app/WEB1_lan-optimized_tcp_profile {

     

    app-service /DMZ/WEB1.app/WEB1

     

    defaults-from /Common/tcp-lan-optimized

     

    }

     

    ltm profile tcp /DMZ/WEB1.app/WEB1_wan-optimized_tcp_profile {

     

    app-service /DMZ/WEB1.app/WEB1

     

    defaults-from /Common/tcp-wan-optimized

     

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 25, 2013
    We already have a redirect in place, but not sure it's the way you recommended. Below are the pieces of the configuration (scrubbed of course) as it is now. I'm not sure how to incorporate what you recommend into what is already in place? i understand what Kevin suggested is to use _sys_https_redirect irule in WEB1_http_virtual virtual server and his irule in WEB1_https_virtual virtual server. in WEB1_https_virtual virtual server, you also have to assign clientssl and serverssl profiles.
  • Frank_Misak_116's avatar
    Frank_Misak_116
    Icon for Nimbostratus rankNimbostratus
    May 29, 2013

    Kevin,

     

    I'm still not certain on what you are saying. Based on my current configuration, I already have redirect to https in place. Looking at my config, can you tell me what I need to do next? I'm confused as to when to use and modify a profile versus when to use an iRule. I don't understand where and how I would make the changes you suggest.

     

     

    Thanks!