Single VIP to support SSL & Non-SSL traffic.

Question

I have a single VIP to support multiple applications by referencing a root context in the uri as follows. The non-SSL traffic applications (off-loading on F5) work but I need to do end-end SSL for one application.

when HTTP_REQUEST {
  switch -glob [HTTP::uri] {
         "/mapping-dev" { pool appsstage_mapping
      HTTP::uri /mapping/mainPage.html
       }
     "/SelfServicePortal*" {
       virtual vs_dsspap1_8080
       pool dsspap1_8080_pool
       } 
 "/redex*" {
   virtual vs_dredex_8888
   pool dredex_8888_pool
   }

"/plm*" {
       pool dplmap1_8080_pool
          }
   "/mstrsbx*" {
       virtual vs_dmstap6_443

!!!!
The "/mstrsbx*" root context needs end-end SSL, how do I make it work? All non-ssl works since they are offloading on the F5.

milk_man · Answer

You could put a "SSL::disable serverside" at the beginning of the HTTP_REQUEST event, then in the switch statement, use "SSL::enable serverside". Otherwise you would need to issue "SSL::disable serverside" on each match for those sites that need SSL offload.&nbsp;
Devcentral link on SSL iRule commands&nbsp;

mimlo_61970 · Answer

See this discussion.&nbsp;
https://devcentral.f5.com/questions/using-a-server-side-http-and-https-to-different-app-server-pools&nbsp;
it looks like you need to set a server ssl profile on the virtual server, and then disable it for the connections that do not need it with SSL::disable serverside&nbsp;

nitin2014_16246 · Answer

SSL Offload is working fine. Its the SSL enable from F5 to the backend servers for "/mstrsbx" which is not working.
Will the following work?
"/mstrsbx" {
       SSL::enable serverside 
       virtual vs_dmstap6_443
       }&nbsp;

milk_man · Answer

I don't believe you can actually selectively enable the SSL profile if it didn't exist on the virtual in the first place. Hence why you need the serverssl profile on the virtual, then disable/enable when needed.

mimlo_61970 · Answer

You need to do 2 things. First, you must assign a server SSL profile to the virtual server. Second, you can either disable the profile on all HTTP paths by adding in SSL::disable serverside OR as also suggested, you could disable it at the top of the HTTP_REQUEST section, and then enable it on the HTTPS path for /mstrsbx

Forum Discussion

Single VIP to support SSL & Non-SSL traffic.

10 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

fellow traffic

Multi-port support for HTTP/TCP load balancers in F5 Distributed Cloud (XC)

f5 iHealth and Support

have ssl and non ssl pools (or pool members) for a VS

Using F5 for load balancing internal traffic