HTTPS VS with HTTPS Members

Hi Rafael,

 

 

If you want to passthrough the HTTPS just configure a VIP without a client or server SSL profile. You could probably use a Performance Layer4 VIP with a FastL4 profile. Optionally, if you want to send an HTTP response back to the client if the pool is down, you could add a client SSL profile and use an iRule like this:

 

 

HTTPS passthrough with a Fallback URL

 

http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPS_passthrough_fallback_URL.html

 

 

If you want to decrypt the client side SSL but re-encrypt the server side connection, you can add both a client and server SSL profile to the virtual server. This allows you to inspect and modify the HTTP but still keep all communication over the wire encrypted.

 

 

Aaron

If you don't add a client SSL profile you can't add an HTTP profile and can't inspect or modify the HTTP (including using cookie insert persistence). If you don't want/need to use cookie insert persistence, you could try SSL session ID persistence with no SSL profiles. The downside to this is that older IE browsers may re-negotiate the SSL session often.

 

 

Aaron

Hi aaron,

 

I selected Performance Layer 4 and SSL persistence, but I get this error:

 

01070652:3: SSL persistence on virtual server VS1 requires a TCP profile and cannot be used with an FTP profile.

 

However, I did not define any FTP profile.

 

-rafael

Sorry for the wrong information. I guess SSL persistence isn't compatible with a Perf Layer4 VIP--which I guess makes sense as SSL is above layer 4. You could try using SSL session persistence with a standard TCP based virtual server without a client or server SSL profile.

 

 

Aaron

Hi Pael,

 

 

You could also try Performance HTTP with cookie persistence. This works for me for the same scenario you have mentioned.