Forum Discussion

reen_sc_140631's avatar
reen_sc_140631
Icon for Nimbostratus rankNimbostratus
Feb 06, 2015

iRule ProxyPass and SSL to Backend

Hello Folks,

 

I am currently struggling with the ProxyPass iRule, because I am not able to get an Server SSL Handshake to the Backendserver.

 

Everything is fine when I define the Backendserver in the Default Pool (VS Settings) and without path manipulations. If I try to realize that about the ProxyPass iRule with an Serverside URI redirect it doesn't work.

 

Clientside: www.test.com/tomcat/

 

Serverside: www.test.com/

 

I did create a VS: vs_test_https an Datagroup: ProxyPassvs_test_https [ /tomcat/ := /(partition)/p_tomcat_host ] [ as described ProxyPass iRule ]

 

an so on. With an tcpdump I see the traffic to the related Backendserver on port 443 but no successful SSL Handshake!?

 

What's wrong in my configuration? Any suggestions?

 

Thanks a lot

 

2 Replies

  • Sorry for the delay.

     

    Here is my configuration. Only standards....no additional modifications.

     

    I did check the ProxyPass with "http" to the Backend and it's working fine. Only an ServerSSL Connection won't be established!?

     

    Code
    ltm virtual /preprod/vs_tomcat {
    destination /preprod/193.90.130.45%2:https
    ip-protocol tcp
    mask 255.255.255.255
    partition preprod
    persist {
        cookie {
            default yes
        }
    }
    pool /preprod/p_backend_https
    profiles {
        clientssl {
            context clientside
        }
        http { }
        oneconnect { }
        tcp { }
    }
    rules {
        i_ios_ltm_log_ssl_client_handshake
        i_ios_ltm_log_ssl_server_handshake
        /preprod/ProxyPass
    }
    source 0.0.0.0%2/0
    source-address-translation {
        type automap
    }
    vlans {
        vlan_webdmz
    }
    vlans-enabled
    vs-index 56
    }
    
    tm data-group internal /preprod/ProxyPassvs_tomcat {
    partition preprod
    records {
        /ssltomcat/ {
            data "/ p_tomcat_https"
        }
        /tomcat/ {
            data "/ p_tomcat_http"
        }
    }
    type string
    }
    
    ltm data-group internal /preprod/ProxyPassSSLProfiles {
    partition preprod
    records {
        "p_tomcat_https profile_serverssl" { }
    }
    type string
    }

    It looks like the SSL Profile in the DataGroup (ProxyPassSSLProfiles) is not used. If I define the serverssl profile to the Virtual Server => same effect.

     

    With SSLDump New TCP connection 24: 193.90.139.18(58915) <-> 192.168.1.30(443) 24 0.0016 (0.0016) S>C TCP RST