Forum Discussion

samigo_81875's avatar
samigo_81875
Icon for Nimbostratus rankNimbostratus
Sep 04, 2013

Mixed SSL/NON-SSL pools

Hello,

I have a mixed SSL and NON-SSL pools. I want to have both ClientSSL decryption ending on the LTM and then re-encrypting from LTM to the backend pool member which has SSL enabled. I'm not able to get this working using below:

when HTTP_REQUEST {

    SSL::disable serverside        
    switch -glob [string tolower [HTTP::uri]] {                              

            "/non-ssl_" {
                       use pool HTTP-pool
        }
            "/ssl_" {
                           SSL::enable serverside
                           use pool HTTPS-pool
                    } 
   }

}

Appreciate any help.

thanks!

application delivery
devops
iRules

6 Replies

Sort By
  • samigo_81875's avatar
    samigo_81875
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013
    Also, how can I enable some logging to trace this SSL handshake to see what is failing at? I'm testing it as below: https://www.myserver.com/non_ssl* and https://www.myserver.com/ssl*
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013
    To do tracing on SSL just take a tcpdump of the traffic and the use ssldump to decrypt the traffic and look at where the handshake is failing. http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 04, 2013

    Your iRule is using a -glob switch but you have no glob conditions, so the URIs would have to exactly match. Otherwise the iRule should work. Here's a minor modification:

    when HTTP_REQUEST {                
    switch -glob [string tolower [HTTP::uri]] {                              
        "/non-ssl*" {
            SSL::disable serverside
            pool HTTP-pool
        }
        "/ssl*" {
            pool HTTPS-pool
        } 
    }
}