Forum Discussion

TWSS_18275's avatar
TWSS_18275
Icon for Nimbostratus rankNimbostratus
Apr 22, 2008

SSL / Non-SSL Same VIP

I would like to have one VIP that can handle both secure and non-secure traffic. I have found and implemented the rule at: http://devcentral.f5.com/wiki/default.aspx/iRules/HttpHttpsSingleVirtualServer.html and I am having a small problem. Non-secure traffic works without a problem, but secure traffic does not. I get no response back.

 

 

Here's the modified rule:

 

 

when RULE_INIT {

 

 

Define virtual server ports that should have SSL enabled

 

set ::vip_https_ports [list \

 

443 \

 

]

 

 

Define virtual server ports that should be answered with HTTP

 

set ::vip_http_ports [list \

 

80 \

 

]

 

 

Set this option to 1 to log debug messages (to /var/log/ltm by default)

 

set ::debug 1

 

}

 

when CLIENT_ACCEPTED {

 

 

If debug is enabled, print a start marker

 

if {$::debug}{log local0. "---------------------------- Start ---------------------------- "}

 

 

if {$::debug}{log local0. "Pool Selected: [LB::server pool] "}

 

 

set ::non_secure_pool [string trim [LB::server pool] s]

 

if {$::debug}{log local0. "Http Pool: $::non_secure_pool"}

 

 

if { ([matchclass [TCP::local_port] equals $::vip_https_ports]) }{

 

 

Request was to an HTTPS port, so do nothing for the clientside connection.

 

The defined client and/or server SSL profiles will be applied as normal

 

if {$::debug}{log local0. "HTTPS request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}

 

 

log an error if the virtual server doesn't have a client SSL profile, but receives an SSL request

 

if {[PROFILE::exists clientssl] == 0}{

 

if {$::debug}{log local0. "ERROR: client connection received from [IP::client_addr] on port [TCP::local_port], but no client SSL profile is enabled on [IP::local_addr]"}

 

reject

 

}

 

 

if {$::debug}{log local0. "HTTPS Pool Selected: [LB::server pool] "}

 

 

} elseif {([matchclass [TCP::local_port] equals $::vip_http_ports]) }{

 

 

Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP

 

if {$::debug}{log local0. "HTTP request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}

 

 

Check to see if there is a client SSL profile and if so, disable it

 

if { [PROFILE::exists clientssl] == 1} {

 

if {$::debug}{log local0. "Client SSL profile enabled on VIP. Disabling SSL"}

 

set disable_cmd "SSL::disable"

 

eval $disable_cmd

 

}

 

 

}

 

else {

 

 

Request wasn't to a defined port, so reset it

 

if {$::debug}{log local0. "Dropping request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}

 

reject

 

}

 

}

 

when HTTP_RESPONSE {

 

 

if {$::debug}{log local0. "Outgoing from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}

 

 

}

 

 

Anything that I am missing?
application delivery
dev
devops
iRules

7 Replies

Sort By
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Apr 22, 2008
    You also need to be sure that you have a Client SSL profile set up for the virtual in question. Since this rule effectively does nothing for traffic that's deemed HTTPS, you need to have the default configuration set up for SSL traffic. The iRule will then shut off that profile if it detects HTTP traffic.

     

     

    Did you try that? Is there any information showing up in the logs?

     

     

    Colin
  • TWSS_18275's avatar
    TWSS_18275
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2008
    Yes, here's the vip:

     

     

    virtual vip_2xx.xxx.xxx.xxx_http_s {

     

    destination 2xx.xxx.xxx.xxx:any

     

    ip protocol tcp

     

    profile http secure.sitename.com tcp

     

    persist cookie

     

    pool pool_route_testing_http

     

    rule combine_http_https

     

    combine_http_https_header

     

    }

     

     

    and here's the log entries:

     

     

    Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : ---------------------------- Start ----------------------------

     

    Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : Pool Selected: pool_route_testing_https

     

    Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : Http Pool: pool_route_testing_http

     

    Apr 22 12:36:44 tmm tmm[929]: Rule combine_http_https : HTTPS request from x.x.x.x to x.x.x.x:443

     

    Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : ---------------------------- Start ----------------------------

     

    Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : Pool Selected: pool_route_testing_https

     

    Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : Http Pool: pool_route_testing_http

     

    Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : HTTP request from x.x.x.x to x.x.x.x:80

     

    Apr 22 12:39:39 tmm tmm[929]: Rule combine_http_https : Client SSL profile enabled on VIP. Disabling SSL

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 22, 2008
    Hi,

     

     

    What are you trying to do with the https pool? Do you want/need to have HTTPS requests sent to an HTTPS pool? The Codeshare example was designed to use a single HTTP pool. You could specify an HTTPS pool in the rule using the pool command (Click here). You'd need to add a server SSL profile to the VIP and disable that in addition to the client SSL profile for HTTP requests.

     

     

    With two different pools, the cookie persistence profile would no longer work as it does with one pool, as the pool definition (and persistence value in the cookie) would change the client goes from HTTP to HTTPS. I suppose you could use a single pool to do the member selection (and persistence) and then set the port using the node command (Click here) in the LB_SELECTED event. I'm not 100% sure on this methodology though.

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 22, 2008
    What are you trying to accomplish by using the rule? Previously it's been used to minimize the number of objects in the config--but also to support cookie persistence across HTTP and HTTPS requests. If you want to use HTTPS on the server side for client requests over HTTPS and HTTP for client side HTTP requests and support cookie persistence, you wouldn't be able to use two different pools.

     

     

    Can you post the config for the two pools? Also, what's "combine_http_https_header"? Lastly, the request shouldn't be getting to the pool_route_testing_http, as it's not listed as the default pool on the VIP or being selected in the rule using the pool command.

     

     

    Maybe if you can provide more detail on what you're trying to accomplish and a bit more detail on the current configuration we can work out a solution that will work.

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 23, 2008
    I'm curious about this. If you're willing to, can you email me at hooleylists at gmail dot com?

     

     

    Aaron
  • hatem_h_35533's avatar
    hatem_h_35533
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2009
    hello,

     

    I'm new with this technology, and not sure that my question is the same as yours, but i need a help for this problem :

     

     

    i need to install a SSL traffic on an existing VIP, without loosing the http access.

     

    some clients <---https---->F5<----http---> server

     

    and

     

    the rest of clients<---http---->F5 <----http--->the same server

     

     

    so i make these :

     

    - create a new VS (app_https_vs) with the same IP but listen on the 443

     

    - install a SSL certificate

     

    - create SSL_client_profile based on this certificate

     

    - use this profile on the new created VS, (without SSL server profile)

     

    - write a iRule (that i found on this forum) like this :

     

    when CLIENT_ACCEPTED {

     

    pool decibel_rct_http_pool;

     

    }

     

     

    the problem is that after login page the tafic became on http

     

    and i got a blank page !?!..

     

     

    any one have an idea about this ?

     

     

    NB : the server is an iPlanet using Siebel plugin.

     

     

    thanks for help,

     

    hatem

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 20, 2009
    Hi Hatem,

     

     

    It sounds like you're implementing a pretty standard configuration with separate VIPs for HTTP and HTTPS. What you've described sounds correct. Though, you shouldn't need an iRule to select the decibel_rct_http_pool. You can just assign the pool as the default pool on the VIP.

     

     

    Also, if the HTTP VIP was working prior to adding the HTTPS VIP, no changes should be necessary to the HTTP VIP. If you remove the iRule and specify the pool, but the requests fail, can you post an anonymized copy of the VIPs and pools from the /config/bigip.conf file?

     

     

    Lastly, if the initial request to the HTTPS VIP is being redirected to HTTP, you can enable rewrite redirects on the HTTP profile. You can create a custom HTTP profile, modify the rewrite redirects option and then select this for the HTTPS VIP. You can check the online help for details on the different rewrite redirects options.

     

     

    Thanks,

     

    Aaron