Forum Discussion

Naman_65674's avatar
Naman_65674
Icon for Nimbostratus rankNimbostratus
Sep 02, 2008

SSL command on non-SSL VIP

Hello,

 

 

I want to create an Irule which will be used by two VIPs, one which uses SSL and the other doesnt. Dont ask why but i want to do something like this:

 

 

if { [TCP::local_port] == "443" } {

 

catch { SSL::disable serverside }

 

}

 

 

but i get the following error when i try to associate the iRule to the Virtual Server:

 

 

SSL::disable in rule () requires an associated SERVERSSL or CLIENTSSL profile on the virtual server ()

 

 

Can anyone think of a workaround for this? I thought the catch statement would help but was unlucky with that one.

 

 

Thanks,

 

Naman
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Sep 02, 2008
    Hi,

    The SSL::disable command works when the BIGIP is the SSL termination of the SSL flow.

    In your configuration it must not be the case, the SSL flow is established between the client and the server.

    This is for example when you process HTTP and HTTPS on the same virtual server:port

    then you can do something like this: 

      
   class http_methods {        
      "GET”        
      “POST”        
      “HEAD”         
      “PUT”        
   }         
                  
   when CLIENT_ACCEPTED {        
      TCP::collect 5        
   }         
           
   when CLIENT_DATA {        
      if { [matchclass [TCP::payload] starts_with $::http_methods] } {        
          SSL::disable        
      }        
   }

    This way if it's HTTPS you maintain your SSL configuration to make the BIGIP being the SSL termination with your client (ie it will talk in HTTPS) but if it's HTTP you receive then you disable your SSL profile to talk in HTTP only

    N.

  • Naman_65674's avatar
    Naman_65674
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2008
    Thanks guys for your help. Aaron I tried your way and it worked great! Just wondering though, does it matter which event i call that in. I am currently doing it in HTTP_REQUEST..

     

     

    Thanks,

     

    Naman
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Sep 03, 2008
    It should function all right in HTTP_REQUEST, Naman, but it would be more efficient in CLIENT_ACCEPTED since it would only run once per connection rather than once per request.

     

     

    Colin