TWSS_18275
Apr 22, 2008Nimbostratus
SSL / Non-SSL Same VIP
I would like to have one VIP that can handle both secure and non-secure traffic. I have found and implemented the rule at: http://devcentral.f5.com/wiki/default.aspx/iRules/HttpHttpsSingleVirtualServer.html and I am having a small problem. Non-secure traffic works without a problem, but secure traffic does not. I get no response back.
Here's the modified rule:
when RULE_INIT {
Define virtual server ports that should have SSL enabled
set ::vip_https_ports [list \
443 \
]
Define virtual server ports that should be answered with HTTP
set ::vip_http_ports [list \
80 \
]
Set this option to 1 to log debug messages (to /var/log/ltm by default)
set ::debug 1
}
when CLIENT_ACCEPTED {
If debug is enabled, print a start marker
if {$::debug}{log local0. "---------------------------- Start ---------------------------- "}
if {$::debug}{log local0. "Pool Selected: [LB::server pool] "}
set ::non_secure_pool [string trim [LB::server pool] s]
if {$::debug}{log local0. "Http Pool: $::non_secure_pool"}
if { ([matchclass [TCP::local_port] equals $::vip_https_ports]) }{
Request was to an HTTPS port, so do nothing for the clientside connection.
The defined client and/or server SSL profiles will be applied as normal
if {$::debug}{log local0. "HTTPS request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
log an error if the virtual server doesn't have a client SSL profile, but receives an SSL request
if {[PROFILE::exists clientssl] == 0}{
if {$::debug}{log local0. "ERROR: client connection received from [IP::client_addr] on port [TCP::local_port], but no client SSL profile is enabled on [IP::local_addr]"}
reject
}
if {$::debug}{log local0. "HTTPS Pool Selected: [LB::server pool] "}
} elseif {([matchclass [TCP::local_port] equals $::vip_http_ports]) }{
Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP
if {$::debug}{log local0. "HTTP request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
Check to see if there is a client SSL profile and if so, disable it
if { [PROFILE::exists clientssl] == 1} {
if {$::debug}{log local0. "Client SSL profile enabled on VIP. Disabling SSL"}
set disable_cmd "SSL::disable"
eval $disable_cmd
}
}
else {
Request wasn't to a defined port, so reset it
if {$::debug}{log local0. "Dropping request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
reject
}
}
when HTTP_RESPONSE {
if {$::debug}{log local0. "Outgoing from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
}
Anything that I am missing?