Forum Discussion

Dan_DeVlieger's avatar
Dan_DeVlieger
Icon for Nimbostratus rankNimbostratus
Sep 19, 2019

iRule for Setting Server Side SSL

The iRule below is working for the most part, the setting of the server side SSL profile is the section that is failing we are getting SSL errors upon connecting. This error occurs whether we apply the same profile as part of the VIP configuration also.

 

when called the section to set the serverside SSL is failing, specifically the following commands

 set SSL::enable

 set SSL::profile TEST-SERVERSIDE-SSL-PROFILE

 

 What are we missing to get this to work?

 

when HTTP_REQUEST {

 set CALL_SERVERSIDE_SSL 0

 log local0. "Request: [HTTP::host]"

 if {[HTTP::host] starts_with "siteA.mysite.com" }{ 

  if {[active_members SITEA-9032-POOL] < 1} {

    log local0. "Using pool SO-SORRY-80-POOL"

    pool SO-SORRY-80-POOL

    }

 else {

   log local0. "Using pool SITEA-9032-POOL"

   pool SITEA-9032-POOL

  }

 }

* elseif {[HTTP::host] starts_with "siteB.mysite.com" }{ 

  if {[active_members SITEB-PROD-443-POOL] >= 1} {

    log local0. "Using pool SITEB-PROD-443-POOL"

    persist source_addr

    set CALL_SERVERSIDE_SSL 1

    pool SITEB-PROD-443-POOL }

 else {

   log local0. "Using pool SO-SORRY-80-POOL"

   pool SO-SORRY-80-POOL

*   }

 }

elseif {[HTTP::host] starts_with "siteC.mysite.com" }{

    if {[HTTP::uri] starts_with "/ca/prd/"}{ 

      log local0. "Using pool SITEC-PROD-80-POOL"

      persist source_addr

      pool SITEC-PROD-80-POOL

      }

    elseif {[HTTP::uri] starts_with "/ca/stg/"}{

      log local0. "Using pool SITEC-STG-80-POOL"

      persist source_addr

      pool SITEC-STG-80-POOL

      }

    else reject

    }

 elseif {[HTTP::host] starts_with "siteD.mysite.com" }{ 

  log local0. "Using pool SITED&E-80-POOL"

  pool SITED&E-80-POOL 

  }

 elseif {[HTTP::host] starts_with "siteE.mysite.com" }{ 

  log local0. "Using pool SITED&E-80-POOL"

  pool SITED&E-80-POOL

  }

 else {

   log "No header match found"

   reject

 }

}

when SERVER_CONNECTED {

 if { $CALL_SERVERSIDE_SSL == 1 }{

 log local0. "Setting Serverside SSL $CALL_SERVERSIDE_SSL"

 set SSL::enable

 set SSL::profile TEST-SERVERSIDE-SSL-PROFILE

 }

 else {

 log local0. "Not using Serverside SSL $CALL_SERVERSIDE_SSL"

 set SSL::disable

 }

}

2 Replies

  • Hi Dan DeVlieger,

    You shouldn't use "set" command before ssl::disable, ssl::enable and ssl::profile.

    when SERVER_CONNECTED {
    	if { $CALL_SERVERSIDE_SSL == 1 } {
    		log local0. "Setting Serverside SSL $CALL_SERVERSIDE_SSL"
    		SSL::enable
    		SSL::profile TEST-SERVERSIDE-SSL-PROFILE
    	}
    	else {
    		log local0. "Not using Serverside SSL $CALL_SERVERSIDE_SSL"
    		SSL::disable
    	}
    }