Forum Discussion
jaikumar_f5
Feb 24, 2019MVP
Hi Aditya,
It is doable, lets say below is your requirement,
- VIP is 1.1.1.1:1500
- Pool1 servers are non-ssl servers
- Pool2 servers are ssl servers
- You want http & https to work on 1.1.1.1:1500 VIP.
- http traffic to goto Pool1
- https traffic to goto Pool2
1st, you have to create a clientssl profile which would accept both ssl and non-ssl traffic.
tmsh create ltm profile client-ssl allow-non-ssl enabled
2nd, you have to create the irule,
ltm rule ssl-and-nonssl-irule {
when CLIENT_ACCEPTED {
set https_state 0
log local0. "Lets set https_state value to as 0, meaning its a HTTP traffic"
}
when CLIENTSSL_HANDSHAKE {
set https_state 1
log local0. "Lets set https_state value to as 1, meaning its a HTTPS traffic"
}
when HTTP_REQUEST {
if { $https_state == 0 } {
pool pool_1
log local0. "https_state value is 0, meaning its a HTTP traffic & HTTP Pool will be selected"
} else {
pool pool_2
log local0. "https_state value is 1, meaning its a HTTPS traffic & HTTPS Pool will be selected"
}
}
when SERVER_CONNECTED {
if { $https_state == 0} {
log local0. "https_state value is 0, meaning its a HTTP traffic & forcing serverside SSL should not be selected"
SSL::disable serverside
log local0. "pool_1 connected"
} elseif {$https_state == 1} {
log local0. "https_state value is 1, meaning its a HTTPS traffic & serverside SSL would be selected"
log local0. "pool_2 connected"
}
}
}
Finally have the custom-clientssl & serverssl profiles added to your VS. Add the Irule too. It would be something like below,
ltm virtual test-ssl-nonssl {
destination 1.1.1.1:1500
ip-protocol tcp
mask 255.255.255.255
profiles {
http { }
custom-clientsslprofile-name {
context clientside
}
serverssl {
context serverside
}
tcp { }
}
rules {
ssl-and-nonssl-irule
}
source 0.0.0.0/0
source-address-translation {
pool xxxx
type snat
}
translate-address enabled
translate-port enabled
vs-index 123
}
Let me know how it goes.