Forum Discussion
6 Replies
- JRahmAdminI would need a more complete description to answer definitively, but it is possible to support ssl and non-ssl traffic on a single virtual with an iRule. It has been a while, but I seem to recall an option in the ssl profile to allow non-ssl traffic as well.
I currently have a website ( that resolves to a VIP on port 80 only and it load-balances to a server pool in our Datacenter.
This is being done on an older F5 running 10.0.1 software.
This is what i have done so far.
I created a port 443 version of the same VIP.
I created an irule to redirect any traffic with the URI (careers/jobs) to be redirected to the HTTPS VIP and applied it to the port 80 VIP.
On the HTTPS VIP, I am still working on an irule to redirect the traffic while keeping the original URL and modifying the links on the hosted site. Also, i am trying to figure out how to use a hostname instead of pool.
Any help would be appreciated.
Thanks
- Ronald_van_der3Nimbostratus
Well this can be done with an iRule, but from a security perspective, why wouldn't you just push all traffic to SSL in the first place?
This project is currently for the redirection of specific traffic to the external site. Converting the local site to HTTPS will have to be done on a different project since the current servers are not configured to support SSL. This is what i have so far.
On the SSL VIP, i created a stream profile to modify the links on the hosted site.
profile stream test-staging-stream { target "@"
This is the irule that i currently have for redirecting the traffic to an external site.
rule abc-xyz-redirect4 { when CLIENT_ACCEPTED { set default_pool [LB::server pool] } when HTTP_REQUEST priority 100 { switch -glob [string tolower [HTTP::uri]] { "/careers/jobs*" { set path [string map {/careers/jobs* /*} [URI::path [HTTP::uri]]][URI::basename [HTTP::uri]] set uri $path[URI::basename [HTTP::uri]][URI::query [HTTP::uri]] HTTP::path $path set qry_location [string first "?" [HTTP::uri]] if { $qry_location > 0 } { set qry [string range [HTTP::uri] $qry_location end] } else { set qry "" } set uri ${path}/$qry HTTP::uri $uri log local0. "10>>being redirected to $path" } default { log local0. "-->[HTTP::uri] $default_pool" pool $default_pool return } } HTTP::header replace Host "www.xyz.com" pool www.xyz.com-ssl } when HTTP_REQUEST priority 200 { log local0. "25>>Outgoing path [HTTP::uri]" } }
This is the pool config:
pool www.xyz.com-ssl { action on svcdown reselect monitor all https members xx.xx.xx.xx:https {}
This is the current VIP config
virtual test.abc.com-ssl { snat automap pool www.xyz.com-ssl destination xx.xx.xx.xx:https ip protocol tcp rules abc-xyz-redirect4 profiles { abc-TCP-Optimized {} abc_Compression {} serverssl { serverside } test-staging-stream {} wildcard.abc.com-new { clientside } } }
I still need to figure out how to use hostname/DNS lookup instead of the normal pool.
Thanks.
- Ronald_van_der3Nimbostratus
Converting the local site to HTTPS will have to be done on a different project since the current servers are not configured to support SSL. This is what i have so far.
You know you can use SSL Offloading with the BIG-IPs. This will not require the backend servers to be configured with SSL support...
Yes. I understand that but since this current project requires SSL from the user to the F5 and from the F5 to the external site, I would need to enable server SSL profile for SSL bridging to the external site. Once i turn this on, the backend servers would be marked down since they don't have a SSL cert. This is where i am running into an issue. The local servers are port 80 and the external site is 443 and they share the same VIP. This is why i am keeping the local port 80 servers on the port 80 VIP and having an irule to force the HTTPS to the port 443 VIP which will be configured for SSL Bridging.