Forum Discussion

T_Rajneesh's avatar
T_Rajneesh
Icon for Nimbostratus rankNimbostratus
Jun 19, 2019
Solved

SSL issue "Server throwing SSL exceptions"

Hi,

We have a setup where a request comes from Imperva to F5 will come as https but when sending request downstream to pool F5-> WCS, we are getting error. Possible the request needs to be modified to Http that should possibly resolve the issue.  Currently when request is coming as HTTPS to backend server throwing SSL exceptions.

Is there a way, we can write a in irule to send traffic coming as https to backend server with http ?

 

Thank you

application delivery
iRules
LTM
  • Dario_Garrido's avatar
    Dario_Garrido
    Jun 21, 2019

    Perfect!

     

    Please, don't forget to score my answer (or marking as "the best") if it was helpful for you ;-)

10 Replies

Sort By
  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Jun 20, 2019

    Hello.

    When you have a configuration like this in your virtual server

    Client SSL profile: yes

    Server SSL profile: none

    You are already sending traffic offloaded to the backend server.

    KR,

    Dario.

    • T_Rajneesh's avatar
      T_Rajneesh
      Icon for Nimbostratus rankNimbostratus
      Jun 20, 2019
      Hi Dario, We have VIP with both Client & Server SSL ​ offloading but here we have an I rule attached to this VIP, stating to send the request to other pool not associated to this VIP whose node/ server listening in port 3737 ​ example VIP Test..443 Pool abc​. Server 1 -443​ Server 2-443 ​ But irule attached in this VIP to sent traffic to Pool xyx Server 3-3737​
      • Dario_Garrido's avatar
        Dario_Garrido
        Icon for MVP rankMVP
        Jun 20, 2019

        You can have a VS with both SSL profiles (client & server) and desactivate one of them using an iRule (or even better a policy).

        One example:

        >> VS

        ltm virtual VS-TEST_443 {
    destination 10.1.1.1:https
    ip-protocol tcp
    mask 255.255.255.255
    pool P-ABC_443
    profiles {
        clientssl {
            context clientside
        }
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

        >> RULE

        when HTTP_REQUEST {
    if { [HTTP::host] equals "url.com"}{
        SSL::disable serverside
        pool P-XYZ_3737
    }
}

        IMPORTANT: the communication to the backend P-XYZ_3737 should have to be using HTTP (not HTTPS), to avoid errors.

        KR,

        Dario.

  • T_Rajneesh's avatar
    T_Rajneesh
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2019

    HI Dario,

     

    Can you please help me here, we are still getting error when accessing website.. Only it works when port 80 is enabled on server. But actual server listening on port 3737.

     

    is it possible to write i-rule to send request to backend pool with port 3737 ?

     

    Thanking you in advance.

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      Jul 09, 2019

      Actually, the irule is already configured to send the traffic to the backend with port 3737 when the hostname matches "url.com".

      If you are using encryption, you should not disable SSL server profile.

      Hope this helps

      KR,

      Dario.

      • T_Rajneesh's avatar
        T_Rajneesh
        Icon for Nimbostratus rankNimbostratus
        Jul 09, 2019
        Thanks for prompt reply Dario. Server is not listening on port 443. SSL disable is fine. Server/application owner enabled only port 3737 & expected to access application on port 3737 only. But it was not working with given irule unless they enable port 80 on Server. Not sure if request coming to F5 is on port 80 or 3737. Is it possible to enable port 3737 after SSL client side offloading & send request to back end server assuming request presently coming to F5 in port 80