selective re-encryption

Question

I'm trying to have a vip with ssl acceleration enabled accept traffic, inspect it, if it is html, re-encrypt it and send it to a secure serverpool. If it is .gif, just send it to a port 80 pool. 
&nbsp;  
&nbsp; I'm trying something like: 
&nbsp;  
&nbsp; when CLIENTSSL_HANDSHAKE { 
&nbsp;   if {HTTP::uri ends_with "gif"} { 
&nbsp;       pool img_pool  } 
&nbsp;   elseif {HTTP::uri ends_with "html" } 
&nbsp;         then use pool html_secure_pool} 
&nbsp;  
&nbsp; I don't know what to use to re-encrypt the data to the secure server. Also, would I need to wait for HTTP_REQUEST after CLIENTSSL_HANDSHAKE or is that enough? 
&nbsp; If I gave the vip a server ssl profile, could I then just parse out the gif's and just leave the rest alone? 
&nbsp;  
&nbsp; Any help would be appreciated. 
&nbsp;

unruley_95363 · Answer

This is what I think you want:

when HTTP_REQUEST {   
     if {[HTTP::uri] ends_with "gif"} {   
        pool img_pool  
     } else {  
        pool html_secure_pool  
     }  
  }  
  when SERVER_CONNECTED { 
     if {[TCP::remote_port] != 443} { 
        SSL::disable 
     } 
  }

The above example is courtesy of drteeth. 
  
 You could even just put the html_secure_pool on the virtual and then remove the "else { pool html_secure_pool }" part of the rule since the pool on the virtual is considered the default pool.

james_thomson · Answer

I made the fallback pool the secure pool in the virtual.I have a clientssl and serverssl profile associated and an http profile associated as well. 
&nbsp;  
&nbsp; With this rule: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;    if  {[HTTP::uri] contains "index3"} { 
&nbsp;        pool server2 
&nbsp;        serverside {SSL::disable} 
&nbsp;        } 
&nbsp;    } 
&nbsp; I get this error in /var/log/ltm 
&nbsp;  
&nbsp; Dec  9 22:21:28 tmm tmm[690]: 01220001:3: TCL error: Rule selective  -  Error: connection has no peer! (line 3)     invoked from within "serverside {SSL::disable}" 
&nbsp;  
&nbsp; Any ideas? Do I need to do anything with SSL::verify result?

james_thomson · Answer

With that last part, it got rid of the error and worked: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;    if  {[HTTP::uri] contains "index3"} { 
&nbsp;        pool server2 
&nbsp;        } 
&nbsp;    } 
&nbsp; when SERVER_CONNECTED { 
&nbsp;    if {[TCP::remote_port] != 443} { 
&nbsp;           {SSL::disable} 
&nbsp;         } 
&nbsp; } 
&nbsp;  
&nbsp; Thanks for the help.

james_thomson · Answer

With that last part, it got rid of the error and worked: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;    if  {[HTTP::uri] contains "index3"} { 
&nbsp;        pool server2 
&nbsp;        } 
&nbsp;    } 
&nbsp; when SERVER_CONNECTED { 
&nbsp;    if {[TCP::remote_port] != 443} { 
&nbsp;           {SSL::disable} 
&nbsp;         } 
&nbsp; } 
&nbsp;  
&nbsp; Thanks for the help.

Forum Discussion

selective re-encryption

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

SSL Full Proxy - SSL Re-Encryption performance degradation

Selective SNAT

Selective Client Cert Authentication

GTM Selective Persistence

20 Lines or Less #44: Redirecting, Re-encrypting, and TCP fun