Confusion on if to use SSL server profile with iRule or not
Hi
I am looking into implementing a standard VS where I will have the either of the following scenarios
1)Client come using http://url-one.com and the F5 talk to the real server as https://url-one.com
2)Client come using http://url-one.com and the F5 talk to the real server as https://url-two.com
In both cases the communication is clear between the client and F5, and SSL is used between the F5 and the real servers. The only difference is that in one case the URL on the client side is different than the one used on the server side.
If I want this to work for 1) do I need to use an iRule to rewrite the URL to HTTPS and additionally use the default SSL server profile or do I just need to configure the SSL server profile?
Same question goes for scenario 2).
I was thinking that for 1) I just need the SSL server profile configured on the VS while for 2) I would need rewrite iRule + SSL server profile configured. Am I right?
The scheme part of the URL is for the benefit of the user-agent only. That is, if you type http://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 80, and sends the following:
GET / HTTP/1.1 Host: www.example.com
Notice that the "http" part is nowhere to be found. On the other hand, if you type https://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 443, completes a TLS handshake, then sends exactly the same data as above. Again, the scheme ("https") is absent.
As such, as long as the uri-query part (the path and query parameters) are unchanged between the client- and server-side, then there is no need to perform a rewrite. Furthermore, if the Host header is unchanged, then there is no need to change headers. As you say, you need only apply a server-side SSL profile for condition 1. And, as you say, you need to perform a Host header rewrite for condition 2. You can either use an iRule or you can use a Local Traffic Policy.