Forum Discussion

Dayton_Gray_103's avatar
Dayton_Gray_103
Icon for Nimbostratus rankNimbostratus
Jun 07, 2007

SSL unencrypt/reencrypt after looking at header

Here is my situation.

 

 

We are looking to send SSL (port 443) traffic to different pools based upon host header. and either un-encrypt or re-encrypt based upon pool used. I have not found any solution after digging through the forums.

 

 

Basically we are looking to send 443 traffic to a pool pointing to a different data center (re-encrypted via SSLServer profile) if it does not match a certain host header. If the host header is matched, it needs to send it unencrypted to a local pool (local web servers).

 

 

Is there anyway to do this via iRule? From what I've read I'm not sure that it is possible so we came up with another hair-brained scheme to have 3 virtual servers. The first will un-encrypt (client SSL) and the pool would point to the second Virtual server. The second virtual server would re-encrypt (server SSL) and have an iRule which would look at the host header. If the host header did not match it would send the traffic to the other datacenter and if it did match send to the third Virtual server. The third virtual server would simply un-encrypt (client SSL) and send to the internal web servers.

 

 

Does this sound feasible? I have tested and the BigIP seems to have a problem connecting back to itself (pool pointing to another Virtual Server). I have tried this doing just port 80 traffic and it doesn't seem to work. My guess is that it is having a problem with NAT/SNAT tables. Any suggestions?
application delivery
dev
devops
iRules

17 Replies

Sort By
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jun 07, 2007
    You can certainly inspect the host header and act on the value once you've decrypted the request.

    The only issue you may encounter is that there can only be a single cert applied to the port 443 virtual server, so HTTPS requests to 1 of the 2 hostnames in question would result in the "cert mismatch" error. Really no way around that one, and the same thing would happen with your proposed workaround (possible in LTM v9.4, which introduced the ability to have a virtual use another virtual as a destination.)

    But to use an iRule on a single virtual instead, this should get you on your way:
    when HTTP_REQUEST {
  set reencrypt 0
  if { [HTTP::header Host] == "host1.domain.com" }{
    pool LocalPool 
  } else {
    set reencrypt 1
    pool RemotePool
  }
}
when SERVER_CONNECTED {
  if { $reencrypt == 0 }{
    SSL::disable
  }
}
    HTH

    /deb
  • Dayton_Gray_103's avatar
    Dayton_Gray_103
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2007
    I get this error with this iRule (BigIP LTM 9.4):

     

     

    01070151:3: Rule [XXX_Passthrough] error: line 1: [invalid keyword { set reencrypt 0 if { [HTTP::header Host] == xxx.xxxxx.com } pool internalweb } must be: priority timing] [when HTTP_REQUEST { set reencrypt 0 if { [HTTP::header Host] == xxx.xxxxx.com } pool internalweb } else { set reencrypt 1 pool xxx-sec.443 }] line 9: [command is not valid in the current scope] [}]

     

     

    Is reencrypt not valid within the HTTP_REQUEST section?
  • Dayton_Gray_103's avatar
    Dayton_Gray_103
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2007
    I seem to bet getting an error in the webserver when a server SSL profile is in place. If I remove the server SSL profile it works properly. Any idea why I might be seeing this error? It looks like it still may be encrypted.

     

     

    Access log:

     

     

    192.168.176.23 - - [08/Jun/2007:10:22:42 -0400] "\x16\x03" 501 290 "-" "-"

     

     

    Error log:

     

     

    [Fri Jun 08 10:22:42 2007] [error] [client 192.168.176.23] Invalid method in request \x16\x03

     

     

    Thanks for any advice.
  • Dayton_Gray_103's avatar
    Dayton_Gray_103
    Icon for Nimbostratus rankNimbostratus
    Jun 12, 2007
    Bump. Anyone know why this still looks encrypted on the web server when the host header matches?
  • Dayton_Gray_103's avatar
    Dayton_Gray_103
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2007
    I added some logging into the iRule. According to the logs it looks like it is getting redirected to the proper pool and that the SSL::Disable is triggering:

     

     

    Jun 13 12:34:16 tmm tmm[1629]: 01220002:6: Rule FOG_Passthrough_443 : local0."test1"

     

    Jun 13 12:34:16 tmm tmm[1629]: 01220002:6: Rule FOG_Passthrough_443 : local0."nossl"

     

     

    Any idea why the web server would be getting 501 errors in the logs? Is this because the browser still has https in the url?

     

     

     

    when HTTP_REQUEST {

     

    set reencrypt 0

     

    if { [HTTP::header Host] == "xxxxxxxxxxx" }{

     

    {

     

    pool xxxxxxxxxxxx

     

    log local0."test1"

     

    } else {

     

    set reencrypt 1

     

    pool fog-sec.443

     

    log local0."test2"

     

    }

     

    }

     

    when SERVER_CONNECTED {

     

    if { $reencrypt == 0 }{

     

    SSL::disable

     

    log local0."nossl"

     

    }

     

    }
  • Dayton_Gray_103's avatar
    Dayton_Gray_103
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2007
    It looks as if I have run into a bug with the 9.4 Hotfix 4 release. I have tried the above code on a 9.2 BigIP and it is working without issue. I am communicating with F5 now to determine what the problem is.

     

     

    Thanks for the help!
  • Ian_Amos_37833's avatar
    Ian_Amos_37833
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2007

    Posted By Byzandula on 06/07/2007 8:36 PM

     

     

    Disregard... it's just a missing {

     

     

    Thanks for the input!

     

     

     

    Hi, i'm trying to do a similar thing, and am getting the same error message..

     

     

    Where is the missing { ??

     

     

    Thanks
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 15, 2007
    The missing { should be at the end of the line of the first 'if':

    
when HTTP_REQUEST {
  set reencrypt 0
  if { [HTTP::header Host] == "host1.domain.com" }{
    pool LocalPool 
  } else {
    set reencrypt 1
    pool RemotePool
  }
}
when SERVER_CONNECTED {
  if { $reencrypt == 0 }{
    SSL::disable
  }
}

    Aaron
  • Ian_Amos_37833's avatar
    Ian_Amos_37833
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2007
    Excellent, thank you.

    The rule is accepted, but when it is actioned, I get the following error in the logs:

    TCL error: Rule Test-4 HTTP_REQUEST - cant use 
non-numeric string as operand of ! while executing if 
{ not [HTTP::uri] starts_with /exchange/ || 
[HTTP::uri] starts_with /exchweb/ } { pool content log 
local0.test4-1 } else { set disable 0...

    The rule i'm trying to use is:

    
when HTTP_REQUEST {
set disable 1
if { not [HTTP::uri] starts_with "/exchange/" || [HTTP::uri] starts_with "/exchweb/" }
{
pool UAT-content
log local0."test4-1"
} else {
set disable 0
pool OWA-Pool
log local0."test4-2"
}
}
when SERVER_CONNECTED {
if { $disable == 1 }{
SSL::disable
log local0."nossl"
}
}

    Reason for this, is that our MS exchange servers have to use SSL, whereas our Apache can't.. (don't ask me why..)

    Any help would be much appreciated!!