Forum Discussion

Ty__Trabosh_946's avatar
Ty__Trabosh_946
Icon for Nimbostratus rankNimbostratus
May 02, 2006

SSL or Clear based on URI

Hello,

 

 

I'm working on creating an Irule that will allow me to send the traffic to two different pools based on the URI.

 

The twist is that if the URI contains a string I want to be able to re-encrypt and send it to the same server in the pool just to port 443.

 

I'm decrypting the SSL session with a client side cert for all traffic.

 

 

 

Example.

 

 

https://VS.../one/happy.gif --> Pool servers:80 clear text

 

https://vs.../credit/app --> Pool servers:443 re-encrypt and send to same pool.

 

 

 

Any sample code would be of great assistance.

 

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 03, 2006
    You'll need a serverside SSL profile as well. Then, just disable the SSL for the appropriate URI:

    
when HTTP_REQUEST {
  set usessl 1
  if { [string tolower [HTTP::uri]] ends_with "one/happy.gif" } {
    pool http_servers
    set usessl 0
  }
}
when SERVER_CONNECTED {
    if { $usessl == 0 } {
      SSL::disable
    }
}

    This rule assumes your https server pool is set as the default on the profile. If that's not the case, you'll need to set it in the rule.

    For greater detail, there is a more comprehensive post here:

    http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=1635
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    May 09, 2006
    This rule assumes your https server pool is set as the default on the profile. If that's not the case, you'll need to set it in the rule.

     

    Actually, experience proves that it's a good idea to explicitly call the default pool where needed, rather than depending on the rule to select it automatically.

     

     

    When you have a rule that switches between pools, the "default pool" when you don't specify a pool name actually seems to be the last pool to which traffic was sent, rather than the default pool configured on the virtual server.

     

     

    /deb