Need to have HTTP Profile turned on?

If you want to inspect HTTP headers or content you need to have an HTTP profile associated with the virtual server.

 

 

Aaron

I have a similar case. And I turned on HTTP profile to add the iRule. However, once I turn on the HTTP profile, even when i dont have any iRule (to restrict traffic), my connection doesnt go through.

 

Any thing that I'm missing here? Is there some other setting that I should take care of.

 

 

I'm basically making a HTTPS connection which is terminated at the BIGIP box and then redirected as HTTP to the server behind it.

 

 

I can see the SSL negotiation go through fine. The BIGIP also sends probe GET requests to the server and the server responds. However, BIGIP resets the connection after some time.

 

 

Please help if you have any clue.

I would guess that you don't have a client SSL profile configured on the virtual server. When you add an HTTP profile to a virtual server, you're instructing BIG-IP to parse the content as HTTP. If the client is making an HTTPS request to the virtual server and you want to inspect/change the HTTP content of the request, you must use a client SSL profile to decrypt the traffic. Else, as you've found BIG-IP will reset the connection.

 

 

Typicaly, you would want to configure the virtual server on port 443 with an client SSL profile to decrypt the traffic. You'd then add a pool of nodes defined on port 80. You could then add an HTTP profile if you want to inspect the HTTP content.

 

 

You can check the configuration guide for your version on AskF5 to get details on configuring a client SSL profile and setting up load balancing.

 

 

Aaron

I just checked...and I do have a client SSL profile. I have a profile created with clientssl as the parent profile and with my certificates selected, which I have mapped to my virtual server.

 

 

Any other suggestions?

 

 

Thanks in advance

This looks like a configuration issue as opposed to an iRule issue. I'd suggest reviewing the config guide and checking the /var/log/ltm log file for errors.

 

 

In general, make sure you have a standard HTTP virtual server defined on 443 with a client SSL profile. The virtual server should have a pool resource. The pool should have nodes defined with the port they listen for HTTP traffic on. If the pools are defined on a port different than the virtual server, you'll need port translation enabled on the virtual server. Address translation must also be enabled if you want TMM to translate the destination address from the virtual server IP to the node's IP address.

 

 

Aaron

When I add the HTTP profile are there any specific settings that need to be enabled like for eg. there are options like 'Redirect Rewrites' etc.

 

Which of these need to be enabled?

 

 

I looked into the deployment guide of OWA which does SSL termination. But my configuration seems exactly like it.

 

 

Also where can I find the logs that you mentioned /var/logs/itm ?

/var/log/ltm (that's an L not an I) = Local Traffic log in the GUI or just go to the /var/log directory on the command line.

 

 

Denny

I checked the logs. I dont see anything useful, atleast I cannot make out what it means. The following line is logged again and again

 

 

 

Feb 22 10:52:00 bigip1500 system_check: 010d0005:3: Chassis fan 106: status (0) is bad.

 

 

 

Also, I'm again asking the question I asked before.

 

When I create a HTTP profile are there any specific settings that I need to enable here like "Redirect rewrites" etc.?

Well that depends on your application. However, the configuration parameters of the BigIP itself is out of the scope of these forums. Applying an http profile, even in it's default state, enables the HTTP events in iRules. I suggest you read the manual regarding the http profile parameters.

Well. I looked through the documents, solutions and guides on this site. Nothing that I could find for my specific problem.

 

 

The summary: HTTP PROFILE ASSOCIATION CAUSES PROBLEMS

 

 

* Client makes a HTTPS connection to the BIGIP virtual server say our_server on port 443

 

* The BIGIP terminates this SSL connection, makes a HTTP connection to our configured pool say our_pool on port 80. (We have only one server now in our pool)

 

* The virtual server 'our_server' has the default TCP profile and a clientssl profile (with our certs) associated.

 

* Everything works fine until we associate the default http profile to the virtual server. (We require this to add an iRule to inspect HTTP traffic)

 

* Once this 'http' profile is associated with the virtual server, I can see that SSL negotiation is going through well. But BIGIP resets the connection with my client after that.

 

 

Please do help me if you have any more clues.

 

 

Thanks.