NimbostratusHi,
I have the below iRule, and it's working with HTTP requests but not with HTTPS. Note that the servers side for both requests is HTTP. Any idea why the iRule is not working in case of HTTPS requests. Thanks.
when HTTP_REQUEST {
switch [string tolower [HTTP::path]] {
"/xyz/abc" {
pool Pool_X
snat 10.10.10.1
}
}
}
Cirrostratus
NimbostratusHi Steve,
You are right, I'm using two seperate VSs one for HTTP and the other one is for HTTPS and both have different iRules which contain the part I mentioned in my previos post. I have observed through tcpdump that for HTTP client traffic BIG-IP is forwarding it to Pool_X and snat it, but for HTTPS it is not.
BR,
CirrostratusOK, good news. Does the HTTPS Virtual Server have a ClientSSL and HTTP profile assigned? Is it a 'standard' VS? In other words, it's terminating the SSL connection right?
NimbostratusYes, all what you have mentioned are correct, and another thing I have observed is that BIG-IP is resetting the HTTPS request for this particular path "/xyz/abc" after some SSL hand shaking pakcets i.e Client Hello, Server Hello, Change Chiper Spec - Encrypted Handshake Message and Application Data.
Cirrostratus
when HTTP_REQUEST {
if { switch [string tolower [HTTP::path]] {
"/xyz/abc" {
log local. "HTTPS Traffic - String Matched"
pool Pool_X
log local. "HTTPS Traffic - Pool Specified"
snat 10.10.10.1
log local. "HTTPS Traffic - SNAT Specified"
return }
}
}
else
}Hi Steve,
It's interseting and weired at the same time, because when I applied the logs everything is worked like a charm.
Only thing I did is adding the logs' statements you have provided. I tried to get an explanation to what happened but I couldn't. I'm sure that BIG-IP was resetting the connection without pool selection or snatting.
Anyhow, it's working now and everyone is happy now. Thanks Steve for your inputs and support, really appreciated.
BR,
CirrostratusNimbostratusHi Steve,
There was a mistake as I was testing HTTP after I have added the logs statement. It works with HTTPS only when I have create a new iRule as following (with or without logs' statement of course):
when HTTP_REQUEST {
switch [string tolower [HTTP::path]] {
"/xyz/abc" {
pool Pool_X
snat 10.10.10.1
}
}
}
The previous iRule which was not working include some additional operator at the begining, so it's something like below:
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"www.example.com" -
"example.com" -
"" {
switch [string tolower [HTTP::path]] {
"somestring1" { HTTP::redirect "https://someurl1" }
"somestring2" { HTTP::redirect "https://someurl2" }
"somestring3" { HTTP::redirect "https://someurl3" }
"/xyz/abc" {
pool Pool_X
snat 10.10.10.1
}
}
}
}
}
So I suspect that it could be something related to HTTP::host switch statement as this is the only difference I can see between the two iRules. In the other hand, the HTTP::host value which are expected on HTTPS requests are all mentioned on the list above !! I'm not sure where is the issue with the old iRule :(
CirrostratusNimbostratus
the "" you highlighted was containing some IP, the VS IP.
I will keep the new iRule which is working as it is, and will create a new test HTTPS VS with the same pool, enable the old iRule on it (which is not working) and try to enable logging you have provided and see what is happening exactly. I will update you once I have done with this test. Thanks Steve.
BR,