Redirection to pools failing

Since you are not doing SSL offload on the F5 the HTTP_REQUEST event will not fire. Most likely what is happening is the LTM is resting the connection because you have a HTTP profile attached to the VIP and the unit is not seeing HTTP traffic. If you want to LTM to be able to switch traffic it has to be able to see the traffic in plain text. To do this the LTM will need to be doing SSL offload. You can re-encrypt to the servers if you need to.

Ok, go figure. Thanks that we at least have forum where we can find out something about how F5 works. So the setup I have would/should work for pure http but for https the traffic needs first be unencripted by F5 (=offloading). Do I understand this correctly?

Is there a way though to redirect https traffic without offloading?

F5 docs vaguely say you have to use http profile for iRULEs like that to work. But there are no specific https profiles. So does it mean if I want to apply irule to https traffic I must use http profile and (as a consequence) offloading?

Thanks, Richard, I'll try that then, though it makes things much less 'elegant' than they could be (and I don't see why from technical perspective the F5 must see the payload to redirect, its just the 1 possible way how it was designed, not the best to my opinion).

So I need to enable offloading and then add encryption from F5 to the server for each IP pool. Will try that. I see it is also possible to use http class to redirect to pools but I have a feeling it still will have the same requirements.

But for the pure HTTP it should work right away, right? I think I had troubles with that too (hard to test as F5 keep connections even after disabling Virtual server and pool). I need to redirect from http to https too and so need either construct redirection to pools for http (and redirect to https on the nodes) or construct iRULE to redirect http to https on F5. In latter case though it might be a little more difficult to write a single iRULE for both redirection and Im not sure how it would work if I use two different rules (one for http to https and the other to appropriate pool). It seems it would be much easier after all to just add a Virtual Server for each site and not waste time trying to be fancy. Im just stubborn.

First for why we have to see the Payload your iRule is below

when HTTP_REQUEST { 
if {[HTTP::uri] contains "myfirstsite.com" } { 
pool RHDIIS1_OnLAPP_HTTPS 
} else {pool RHDIIS1_Sites_Pool_HTTPS} 
}

In a HTTP transaction the Data is encrypted, the f5 will not see the string myfirstsite.com. The encrypted data will in no way match what the plain text of the data will decrypt to. So with out the F5 either terminating the SSL connection or doing SSL pass through the unit will never see the GET/POST/Head and such and never fire the when HTTP_REQUEST, again because all this data will be in a encrypted format. So this is not a design flaw with the F5 it is how encryption works it secures the data between the parties in the conversion.

Now for the second question, the f5 has a setting on the pool that action on pool member down. By default it is set to none, you can set this to reselect and the unit will make a new LB choice. Now for pure HTTP this mite not work as looking at the pool members it looks like they are HTTPS only. Again the will not accepted the connection. As they will be waiting for the client to send the CLIENT HELLO instead the browser will send a Get/POST/etc request causing the server to terminated the connection.

Now you can support both HTTP and HTTPS on the same VIP

https://devcentral.f5.com/questions/rule-to-support-http-and-https-in-the-same-vip

so the link would look like the following HTTP://www.something.com:443 or HTTPS://www.somthing.com

Now if you are wanting the F5 to redirect traffic from on pool member to another you can enable OneConnect for the HTTP traffic. Note if you try to switch HTTPS traffic from one server to another the server should reset the connection as the connection is again in a encrypted state and the session key is not on the unit in question so it will not know how to read or respond to the traffic. It will be forced to end the connection and the browser should reopen the connection and the client and server will setup a new encryption session.

Now another option for you is to use TLS hostnames or wild card SSL cert. With either you can have one VIP service both connection each give out a cert the browser will support.

Thanks, Richard, I understand. I just did not realize that destination uri is also encrypted in coming packets. Probably makes sense since that's all data sent by the browser. Though then - when server with multiple sites accepts the call it needs to direct it to appropriate site, so it would need to decrypt data first, for which it needs to know which certificate should be used, for which it needs to know the name of the site the call is directed to, which in turn is in the encrypted data. I wonder how does it do then. I guess if all certs have the same secret key then its ok. Or if the initial request has plain text destination uri before encrypted tunnel is created between server and browser. Simple (though not necessarily true) logic says its the latter - call first needs to get to destination somehow, return authenticated identity back to the browser and then exchange keys and start encrypting/decrypting. If correct, then it gives F5 opportunity to start redirect without further reading encrypted data.

I'll check on the link you provided and try to implement. I got the idea, just need to think how to redirect at the same time http and/or https to separate pools and http calls to https. Its easy to send from http to https and I think I understand whats needed to redirect to appropriate pool based on uri, but how to combine them together still eludes me. Need to try. But I don't intend to direct from one member to another in the same pool, I guess I confused you with my description. And, actually in my case, incidentally both certificates are wild cards. But since they are for different domains I don't see how that would help in my case. If by any chance you have some info/link on how to use TLS hostnames you mentioned that would be great.

Here is the solution for using TLS hostnames

http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6823.html?sr=32763977

Ok, I think I got it. To summarize it in a simple manner (and maybe to help somebody else with the same issue):

The case: One physical server (or group of servers) is running several web sites, each with different domain name and requiring standard HTTPS access (443).

Objective: Minimize number of Public IPs used to access websites on the server(s).

Proposed solution: Configure one Virtual Server and assign to it an iRULE which will direct traffic to a pool corresponding to a requested site based on matching URI in the iRULE.

Outcome: It should work fine for regular HTTP traffic. It will not work for HTTPS traffic. If F5 is running version 11 it may be possible to use TLS hostname/SNI feature to achieve objective (no uRUlE is necessary but setup still is somewhat complicated). With versions lower than 11 the objective is impossible to achieve for HTTPS traffic, it is necessary to dedicate a separate Virtual Server for each website or obtain UNC certificate (that and corresponding setup may prove to be more expensive and cumbersome than creating several Virtual Servers).

Reason for Outcome: The reason is the HTTPS protocol implementation - while initial call to the server is open text, it does not contain the name of site the call is directed to (only request for certificate on the server). Since revealing what particular site you want to access hardly represent any security breach this implementation is clearly based on outdated assumption that one server serves one site. So information about specific site name is only available in the already encrypted traffic. So if F5 is just passing HTTPS it has no way to see what site is actually requested and so iRULE will not work (neither, apparently, similar in function HTTP class), no selection will be made and HTTPS call will just hang. If HTTPS will be terminating at F5 by enabling Off-Loading it will require Client SSL profile which can only be one per Virtual server and can contain only one certificate so it will not be possible to unencrypt traffic sent to any but a single site.

If multiple sites are all belong to the same domain then it is possible to achieve objective by using offloading on F5 with a single wild card certificate. Then since F5 will be encrypting/decrypting traffic it will see the name of requested sites and iRULE then can use it to switch traffic to corresponding pool. Similar it would work for UNC certificate - single certificate allows F5 to unencrypt the traffic and pass URI string to iRULE.

One more option can provide a partial solution - use HTTP Virtual server with uRULE that will redirect traffic to HTTPS with custom port. That would allow still use one public IP for all the sites but would require to build Virtual Server with custom HTTPS port for each site. In that case either pass-through HTTPS or off-loading should work fine as no redirection is done on HTTPS traffic itself.

I think that's covers it. Richard, thank you very much for help and let me know if you find some discrepancy in my summary that shows Im still not getting it right.