Forum Discussion

Eddie_27920's avatar
Eddie_27920
Icon for Nimbostratus rankNimbostratus
Feb 17, 2009

Beginner Help with an HTTPS iRule

Hi all,

 

This is what I thought would work to look at the HTTPS request and use 2 different pools to send the traffic to. Everything I've looked at in DevCentral always has HTTP examples. Can I not look at the url and make a iRule determination?

 

when HTTPS_REQUEST {

 

if { [HTTPS::path] contains "chat.mesaaz.gov" }{

 

pool chat.mesaaz.gov_pool

 

} elseif { [HTTPS::path] contains "ocs.mesaaz.gov" }{

 

pool ocs.mesaaz.gov_pool

 

} else {

 

pool default_gateway_pool

 

}

 

}

 

 

 

Thanks,

 

Eddie
application delivery
dev
devops
iRules

4 Replies

Sort By
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 17, 2009
    Hi Eddie,

    First HTTPS_REQUEST and HTTPS::path doesn't exist (but we all wish it did 😉 ). Second, if you are passing HTTPS traffic through the load balancer instead of offloading the SSL traffic, then everything will be encrypted, except the hostname and port.

    If you are offloading SSL traffic on the BIGIP then it's possible to use 

     
 when HTTP_REQUEST {  
 if { [HTTP::path] contains "chat.mesaaz.gov" }{  
 pool chat.mesaaz.gov_pool 
 } elseif { [HTTP::path] contains "ocs.mesaaz.gov" }{  
 pool ocs.mesaaz.gov_pool 
 } else {  
 pool default_gateway_pool  
 }  
 }

    Because the assumption here is that Client to VIP is SSL and then VIP to load balanced node is HTTP.

    Hope that helps

    CB

  • Eddie_27920's avatar
    Eddie_27920
    Icon for Nimbostratus rankNimbostratus
    Feb 17, 2009
    Hi thanks for your response but the back-end servers are HTTPS.

     

    I wanted to just use one VIP for both pools but the websites are secure and the VIP/POOLS are all set up to be https only traffic.

     

     

    So I'm hearing that this will not work with a secure website? Is that correct?

     

     

    Thanks again,

     

    Eddie
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Feb 20, 2009

    Posted By cmbhatt on 02/17/2009 7:14 AM

     

     

    Because the assumption here is that Client to VIP is SSL and then VIP to load balanced node is HTTP.

     

     

     

     

     

    This will also work if you re-encrypt on the back end, that is, use both a clientssl and a serverssl profile such that LTM is doing the decryption and can read the HTTP request and apply the rule. But the VIP back to the node *can* be SSL as well if you re-encrypt.

     

     

    Denny