Forum Discussion
dragonflymr
May 27, 2017Cirrostratus
Hi,
I assume your config is like that:
-
VS
- IP:443
- clientssl profile
- serverssl profile
-
Pool
- member_WAF - IP:80, priority 100, default target for traffic, should receive unencrypted traffic
- member_srv - IP:443, priority 10, backup target, should receive encrypted traffic
If it's the case try this iRule
when CLIENT_ACCEPTED {
SSL::disable serverside
set https 0
}
when LB_SELECTED {
set https [expr {[LB::server port] == 443}]
}
when SERVER_CONNECTED {
if { $https } {
SSL::enable serverside
}
}
It will disable serverssl by default in CLIENT_ACCEPTED as most often traffic will go to HTTP member. If however LB selects member with port 443 (so your backend srv instead of WAF) then serverssl profile is enabled before starting TCP session on server side.
Piotr