NimbostratusHi,
I need to apply an iRule to a VS. However, I just can't apply an http profile since the VS is for a 443 pool. The cert is currently installed on the "pool" side. So my question is can I still apply an SSL profile to my VS, so I can attach an iRule, but having the cert in the server side?
AltostratusCan I assume you are using 443 passthrough? 443 -> 443("Pool side") ?
The LTM will need to decrypt the traffic in order for the iRule to work. Apply/Install the "Pool side" Certificate and key to the LTM and change the "Pool Side" to whatever port that is needed. I.E. :80
You can then apply the iRule and http profile.
I think I followed :)
NimbostratusHi, there are two contexts to be aware of, client-side (client>F5) and server-side (F5>server). For SSL you have 3 options,
For the first 2 options you can apply a HTTP profile and do irule work at HTTP level, for the last option the F5 has no visibility of HTTP as it's not decrypting the traffic. If your webserver is terminating SSL and you also want the F5 to terminate SSL and be able to apply HTTP logic then option 2 is what you want.
hope this helps, cheers
NimbostratusYes, you will need a cert in the client-SSL profile for Option 2, this will be the one the users type in the browser. THe webserver cert can be the same or different as the F5 doesn't verify the webserver cert by default.
Option 3 is also an option for you if you were only checking the client IP as that should be done with the CLIENT_ACCEPTED event (layer3) and doesn't need HTTP. Therefore you wouldn't need any SSL profiles or HTTP profiles. But this may limit you if wanted to do anything else at HTTP, e.g. ASM, cookie persistence etc..