A virtual server which caters to both HTTPS and plain TCP traffic on the same port.

Question

Hi&nbsp;
Need help creating a Virtual Server which caters to both HTTPS and plain TCP traffic on the same port.
The HTTPS would have to be directed to a pool say pool_1 and the plain TCP traffic would need to be diverted to another pool say pool_2. Is there a way to achieve this through an iRule or any other method?&nbsp;
I have attempted by creating a Virtual Server with the default configurations to cater the HTTPS traffic (involving clientssl, serverssl, HTTP) and then adding an iRule to identify and route the plain TCP traffic to another pool. &nbsp;
I have tried quite a few conditions on the iRule but just cant seem to get both the traffic working.
One works while the other fails.&nbsp;
This is one such example, (only plain tcp traffic works with this)&nbsp;
============================
when CLIENT_ACCEPTED {
HTTP::disable
SSL::disable
pool pool_2
}&nbsp;
when CLIENTSSL_HANDSHAKE priority {
pool pool_1
}&nbsp;
when SERVER_CONNECTED {
SSL::disable serverside&nbsp;
}
Any suggestions on this would be appreciated.&nbsp;

sergio000_19532 · Answer

you could try something like in this link:&nbsp;
https://devcentral.f5.com/articles/handling-http-requests-on-an-https-virtual-server-31668&nbsp;
Now HTTPs using the default pool and setting something like this for http :&nbsp;
when CLIENT_ACCEPTED {
set https_state 0
}&nbsp;
when CLIENTSSL_HANDSHAKE {
  set https_state 1
}&nbsp;
when HTTP_REQUEST {
  if { [$https_state eq 0]  } {
    pool xxxx
  }
}&nbsp;

muthannamp_3382 · Answer

Thanks Sergio, but we have tried this and it does not work.
Because here we are dealing with a plain TCP and HTTPS traffic whereas this article explains how to deal with HTTP and HTTPS traffic.&nbsp;
So the condition 'when HTTP_REQUEST' cannot be applied on plain TCP traffic.&nbsp;

stanislas_piro2 · Answer

Try this code:&nbsp;when CLIENT_ACCEPTED {
    SSL::disable
    TCP::collect
}
when CLIENT_DATA {
     Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14)
    set payload [TCP::payload 16389]
    set payloadlen [TCP::payload length]

if { [binary scan $payload cH4Scx3H4x32c tls_record_content_type tls_version tls_recordlen tls_handshake_action tls_handshake_version tls_handshake_sessidlen] == 6 &amp;&amp; \
        ($tls_record_content_type == 22) &amp;&amp; \
        ([string match {030[1-3]} $tls_version]) &amp;&amp; \
        ($tls_handshake_action == 1) &amp;&amp; \
        ($payloadlen == $tls_recordlen+5)} {
        SSL::enable
    }
    TCP::release
}

Forum Discussion

A virtual server which caters to both HTTPS and plain TCP traffic on the same port.

3 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Trouble applying GoDaddy certificate to a virtual server