disabling SSL to one backend pool

Question

I have a SSL Virtual server setup that will forward requests to one of 2 pools based on the Uri. Obviously I have setup a Client SSL profile on the Virtual Server but I also have a Server SSL profile setup on the Virtual Server as well as I would like to keep the connection from the F5 to one of the backend pools encrypted. The other pool I would rather not have SSL traffic to as it is serving mostly static content. So in essence:&nbsp;
&nbsp;    Internet Client  (SSL) https://dostuff.foo.com
&nbsp;                       |
&nbsp;                       V
&nbsp;                      F5  If uri starts with /secure
&nbsp;                                      |
&nbsp;                                      V
&nbsp;                                   SSL pool (encrypted)
&nbsp;                                      |
&nbsp;                                      V else
&nbsp;                             Static pool (unencrypted)&nbsp;
&nbsp;Is there a way to do this so that it's SSL for the internet client all the way but selective on the backend? If I have to I'll make it all SSL on the backend but just trying to save some resources - here's the iRule I've been trying but currently I am getting a connection reset. &nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp; set my_uri [string tolower [HTTP::uri]]
&nbsp; set usessl 0
&nbsp;  if { $my_uri starts_with "/secure" } {
&nbsp;     pool ssl__pool
&nbsp;     set usessl 1
&nbsp;  } else {
&nbsp;     pool static_pool  
&nbsp;    }
&nbsp;}&nbsp;
&nbsp;when SERVER_CONNECTED {
&nbsp;  if { $usessl == 0 } {
&nbsp;    SSL::disable
&nbsp;    }
&nbsp;  }
&nbsp;

hooleylist · Answer

The rule looks correct.&nbsp;
&nbsp;Do you get a reset for requests to both /secure and to other URIs?  If you take the rule off and use client and server SSL for all requests, are all requests successful?&nbsp;
&nbsp;Aaron&nbsp;

gwjr_105177 · Answer

Yeah it seems I get resets for /secure as well. Interestingly when I moved everything to SSL connections for the static pool as well everything works fine. Also, removing the server SSL profile and having non-SSL requests to the backend servers worked as well. I'm going to continue to investigate.

alok_3817 · Answer

Use this

when HTTP_REQUEST { 
 set my_uri [string tolower [HTTP::uri]] 
 if { $my_uri starts_with "/secure" }  
 { 
 pool ssl__pool 
 }  
 else  
 { 
 SSL::disable serverside 
 pool static_pool  
 } 
 }

Looks like when you are using the SSL::disable alone, it is killing the Client SSL, (which is the default),  
  
 Client &lt;--Encrypted--&gt; | F5 (VS) ( iRule ) (POOL) F5 | &lt;---Encrypted ---&gt; Server (in SSL pool)  
 Client &lt;-- Not Encrypted--&gt; | F5 (VS) ( iRule ) (POOL) F5 | &lt;--- Not Encrypted ---&gt; Server (in Static pool)

From your requirements i thought you needed  
  
 Client &lt;-- Encrypted--&gt; | F5 (VS) ( iRule ) (POOL) F5 | &lt;--- Not Encrypted ---&gt; Server (in Static pool)  
  
 The Above iRule should help

Do let us know

Forum Discussion

disabling SSL to one backend pool

3 Replies

Recent Discussions

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

Related Content

Disabling Weak Ciphers

Enable/Disable pool member

Host based irule & URI to point to backend pool

disable http retry

behavior of SSL::disable serverside