Forum Discussion

JayP_46820's avatar
JayP_46820
Icon for Nimbostratus rankNimbostratus
Jun 25, 2014

iRule order of operation (SSL offloading)

Hi Guys,

Have a noobie question on iRules, am not a programmer but need to get this working somehow!

We have an LEGACY iRule which looks at HTTP header and then sends traffic to relevant Pool. There is no Default Pool configured, it all gets determined in the iRule. All these Pools do SSL offloading. Now we are moving to Office360 which requires SSL bridging for migration, therefore want to insert a NEW iRule which sends traffic to new Pool if destined for MRSproxy. Found a NEW iRule on DevCentral forums which seems to do exactly this (see below). However it is not working, and am thinking it is order of operations or priority type issue when having multiple iRule with same Event type as the trigger...

LEGACY iRule when HTTP_REQUEST { OAB and Autodiscover do not require persistence.

switch -glob -- [string tolower [HTTP::path]] {

"/microsoft-server-activesync" {
     Direct all ActiveSync clients to a common pool; use Auth
     header value if it exists (Basic auth only, which is the
     default); otherwise we fall back to client IP
    if { [HTTP::header exists "APM_session"] } {
        persist uie [HTTP::header "APM_session"] 7200
    } elseif { [HTTP::header exists "Authorization"] } {
        persist uie [HTTP::header "Authorization"] 7200
    } else {
        persist source_addr
    }
     pool exchange_as_pool 
     COMPRESS::disable
     CACHE::disable
    return
}
    default {
         This final section takes all traffic that has not otherwise
         been accounted for and sends it to the pool for Outlook Web App
        if { [HTTP::header exists "APM_session"] } {
            persist uie [HTTP::header "APM_session"] 7200
        } else {
            persist source_addr
        }
         pool exchange2010_owa_pool 
    }
}

} when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk }

}

NEW iRule when HTTP_REQUEST { If the request is for a proxy.svc URI select a separate pool and leave serverssl enabled if { [HTTP::path] eq "/EWS/mrsproxy.svc"}{ pool exchange2010_secure_pool } }

5 Replies

  • You could try and add a priority to one rule or another to control the execution order but I'm not sure it'll help considering the rule contents. Why not just integrate the new rule into the first/original?

     

  • I'm not sure it's a matter of priority or order of operation as much as it is perhaps some missing pieces. Assuming you have a server SSL profile applied to the VIP, the activesync and OA path conditions are not explicitly disabling server side SSL. I've reworked your code to include all conditions in a single iRule:

     

    when HTTP_REQUEST { 
         OAB and Autodiscover do not require persistence.
        switch -glob -- [string tolower [HTTP::path]] {
            "/microsoft-server-activesync" {
                 Direct all ActiveSync clients to a common pool; use Auth
                 header value if it exists (Basic auth only, which is the
                 default); otherwise we fall back to client IP
                if { [HTTP::header exists "APM_session"] } {
                    persist uie [HTTP::header "APM_session"] 7200
                } elseif { [HTTP::header exists "Authorization"] } {
                    persist uie [HTTP::header "Authorization"] 7200
                } else {
                    persist source_addr
                }
                pool exchange_as_pool 
                COMPRESS::disable
                CACHE::disable          
    
                 disable serverssl serverside
                SSL::disable serverside
    
                return
            }
            "/EWS/mrsproxy.svc" {
                 If the request is for a proxy.svc URI select a separate pool 
                 and leave serverssl enabled 
                pool exchange2010_secure_pool 
            }
            default {
                 This final section takes all traffic that has not otherwise
                 been accounted for and sends it to the pool for Outlook Web App
                if { [HTTP::header exists "APM_session"] } {
                    persist uie [HTTP::header "APM_session"] 7200
                } else {
                    persist source_addr
                }
                pool exchange2010_owa_pool 
    
                 disable serverssl serverside
                SSL::disable serverside
            }
        }
    } 
    when HTTP_RESPONSE { 
        if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate" } { 
            ONECONNECT::reuse disable 
            ONECONNECT::detach disable 
            NTLM::disable 
        } 
        if { [HTTP::header exists "Transfer-Encoding"] } { 
            HTTP::payload rechunk 
        }
    }
  • Thanks Kevin,

     

    For some reason I couldn't edit above post and code was mangled, sorry about that.

     

    Actually at the moment there is no server side SSL profile on the VS, as all current SSL is offloaded by the F5. Only the particular traffic for mrsproxy will need to have server side SSL. Not sure if that is supported.

     

    Perhaps I can still combine the iRules like this?

     

    when HTTP_REQUEST {
      If the request is for a proxy.svc URI select a separate pool
       and leave serverssl enabled
       if { [HTTP::path] eq "/EWS/mrsproxy.svc"}{
          pool exchange_secure_pool
       }
       return
    
         OAB and Autodiscover do not require persistence.
    
        switch -glob -- [string tolower [HTTP::path]] {
    
        "/microsoft-server-activesync" {
             Direct all ActiveSync clients to a common pool; use Auth
             header value if it exists (Basic auth only, which is the
             default); otherwise we fall back to client IP
            if { [HTTP::header exists "APM_session"] } {
                persist uie [HTTP::header "APM_session"] 7200
            } elseif { [HTTP::header exists "Authorization"] } {
                persist uie [HTTP::header "Authorization"] 7200
            } else {
                persist source_addr
            }
             pool exchange_as_pool 
             COMPRESS::disable
             CACHE::disable
            return
        }
    }
            default {
                 This final section takes all traffic that has not otherwise
                 been accounted for and sends it to the pool for Outlook Web App
                if { [HTTP::header exists "APM_session"] } {
                    persist uie [HTTP::header "APM_session"] 7200
                } else {
                    persist source_addr
                }
                 pool exchange2010_owa_pool 
            }
        }
    }
    
    when HTTP_RESPONSE {
        if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} {
            ONECONNECT::reuse disable
            ONECONNECT::detach disable
            NTLM::disable
        }
            if {[HTTP::header exists "Transfer-Encoding"]} {
            HTTP::payload rechunk
        }    
    }
  • The thing is, if you're load balancing to different pools in a single VIP, and any one of those pools needs a server side SSL, then you must apply a server SSL profile to the VIP and selectively disable it.

     

  • Thanks Kevin, Now I understand why you did it that way. Will try it tonight with server SSL profile and disablng where needed. This makes sense. =)