Forum Discussion

Philip_Jonsson_'s avatar
Philip_Jonsson_
Icon for Altostratus rankAltostratus
Jul 15, 2015

Disable Server SSL profile using iRules while using the ProxyPass iRule

Hey everyone!

We have a generic VS which receives all of the traffic for a certain IP address + port 443. We have applied the ProxyPass iRule which distributes the connections to the correct pool based on the URL.

The VS itself is configured to use both a Client SSL profile and a Server SSL profile. This works for the current servers linked to the VS but the new pool I want to add does not use HTTPS.

The pool member is using a non standard port over the HTTP protocol so when the BIG-IP device is establishing its connection to the pool member it obviously does not work since it's communicating over HTTPS.

I have been trying to turn off the Server SSL profile by using iRules but I don't seem to get it to work. I have used the examples found in the SSL::disable article and I have the following examples that I have tried:

Example:1

when HTTP_REQUEST {
    if { [HTTP::host] equals "url.com"}{
        SSL::disable serverside
        pool pool1
    }
}

Example 2:

when HTTP_REQUEST {
    if { [HTTP::host] equals "url.com"} {
        pool pool1
        set usessl 0
        }
}
when SERVER_CONNECTED {
  if { $usessl == 0 } {
    SSL::disable
    }
}

Example 3:

when HTTP_REQUEST {
    if { [HTTP::host] equals "url.com"}{
    pool pool1
    }
}

when SERVER_CONNECTED {
    if { [PROFILE::exists serverssl] == 1} {
        set disable "SSL::disable serverside" 
    }
}

I applied logging and I can at least see that the traffic is matching the iRule but I'm not entirely sure how I can add more logging to see everything that's happening.

Example 3 will probably turn off ServerSSL entirely but either way it did not work. I'm starting to guess that the ProxyPass iRule is conflicting with my own iRule but I don't have enough iRule knowledge to determine that.

Has anyone else tried to do the same? Do you guys have a suggestion on how to solve this without needing a new external IP address?

Thanks in advance!

5 Replies

  • Hey Zeeshan

     

    Thanks for your reply but that's not really the answer I'm looking for. The question was really regarding turning of the SSL profile while still using the ProxyPass iRule in its original form. I tried using several different iRules that was indeed correct to solve the issue but it seems that the ProxyPass iRule is conflicting with the one I'm creating. I was looking for a way to cause minimal adjustments to the configured VS while adding a new pool that was operating on a non-ssl standard port.

     

  • Your first example code is absolutely a correct way to do this. I'm guessing then the proxypass iRule is indeed causing some conflicts. Just guessing here, but when you do the pool $newpool statement, you could potentially see what pool member that is and disable serverside SSL there.

     

  • Sorry for such a late reply, summer vacation and completely forgot about this question. We decided to simply create a new VS and configure it without a Server SSL profile.

     

    Thanks for your reply!

     

  • Just posting the answer that it might help someone else, you can use the below irules to handle such situations.

      when SERVER_CONNECTED {
       Mention the ports on which SSL Pool members are listening in my case its 443 and 8443
      if {[LB::server port] == 443 or [LB::server port] == 8443 } {
        SSL::profile serverssl-insecure-compatible
       } else {
        SSL::disable
      }
    }
    

    2nd option could be

     when SERVER_CONNECTED {
       Mention the ports on which Non-SSL Poole members are listening for example Poer80
      if {[LB::server port] == 80  } {
        SSL::disable
       }
    }
    
  • IIRC you cannot disable SSL.

     

    Example 3: add "catch {eval $disable}" after the set SSL::disable statement.