Forum Discussion

John_Stevensen's avatar
John_Stevensen
Icon for Nimbostratus rankNimbostratus
Oct 30, 2012

Incoming 443 Passthru LTM and use iRule to redirect to pool

Client connections come in SSL 443; needs to pass-thru the LTM with no modification/terminating.

 

The Clients SSL session needs to terminate directly on the server. The LTM cannot touch the session. Trying to use the irule to look for a string in the URL - if found redirect to pool_2_8089. If string doesnt exist - default to pool_1

 

 

 

pool_2_8089

 

Member server 192.168.1.101:8089 (is terminating SSL)

 

 

 

pool_1

 

Member server 192.168.1.101:443 (exact same server just terminating SSL at 443)

 

 

 

I have this iRule

 

when HTTP_REQUEST {

 

if { ([active_members pool_2_8089] > 0) and ([HTTP::uri] contains "/submitVXUMessage") } {

 

pool pool_2_8089}

 

else {pool pool_1}

 

}

 

 

 

The vs_dbtest

 

listening at 443

 

no ssl client or server profiles

 

In order to use iRule - I had to select http profile

 

pool_1 is default

 

 

 

ANY help is much appreciated.

 

application delivery
dev
devops
iRules

9 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 30, 2012
    You cannot see an HTTP URI without first terminating the SSL traffic.

     

     

    Would it be possible to default to the terminating VIP and redirect to the non-terminating VIP if the URI is encountered?

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 30, 2012

    You can't look at the HTTP URI as you are not terminating the SSL on the F5. All the F5 can see is encrypted SSL data. You have two options here;

     

     

    1) Terminate the SSL on the F5 using an SSLClient profile. You can re-encrypt to the server using a SSLServer profile if necessary.

     

    2) Use the ProxySSL feature, although I'm unsure if it's appropriate in this case: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 30, 2012
    You wouldn't be able to redirect traffic to different pools with ProxySSL.

     

     

    ProxySSL requires an uninterrupted path between the client and server during the initial SSL negotiation.
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 30, 2012
    Wow... I learn new things everyday.. never heard of ProxySSL! looks cool.

     

     

    Reading that solution doc, it does sound like you would full access to the HTTP traffic.. why do you say, Keven, that he cannot use this? what would the purpose of ProxySSL be then? the sol says one reason is:

     

     

    iRules to read or write application data

     

     

    Thanks,

     

    Mohamed.
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 30, 2012
    You wouldn't be able to redirect traffic to different pools with ProxySSL.

     

     

    Did not read that carefully. I see now. Thanks.
  • John_Stevensen's avatar
    John_Stevensen
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2012

    Thank you!

     

     

    Do you know off the top of your head if the ProxySSL feature is supported in our release BIG-IP 10.2.0 Build 1755.1 Hotfix HF1

     

     

     

     

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 30, 2012
    That sol doc says it only applies to: 11.2.0, 11.1.0, 11.0.0

     

     

    But as Keven said, at HTTP_REQUEST time, the pool member was already selected and SSL connection completed with it.

     

     

  • John_Stevensen's avatar
    John_Stevensen
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2012

    LOL.

     

     

    When I was typing my reply.... a flood of other replies had funneled in and I didnt get to read them yet.

     

     

    You guys rock.