Forum Discussion

Mark_Edwards_20's avatar
Mark_Edwards_20
Icon for Nimbostratus rankNimbostratus
Apr 29, 2014

Using a Server-side HTTP and HTTPS to Different App Server Pools

I have an HTTPS virtual server that does SSL-termination for 150+ applications where the URL is of the form host.name.com/APP1, host.name.com/APP2, etc. The applications are J2EE and the LTM communicates with them using HTTP. The LTM takes the HTTPS request from the client on port 443 and sends it to the correct App server pool using HTTP on port 8080. The routing decision (which app server pool) is made by an iRule that matches APP(X) in the URL and selects the appropriate pool. This works well. Unfortunately, I have one application with a custom extension that needs a certain request to be forwarded as HTTPS (it does string matching on the request URL to verify the validity of the request - the source string is HTTPS and cannot be changed). I tried putting a server-side SSL profile on the virtual server and configuring the pool to use port 443, but as soon as I put the server-side SSL profile on the VS traffic to my non-SSL pools was disrupted - though traffic to my SSL-enabled pool worked great. How can I get the LTM to use HTTP for the majority of my pools, but HTTPS for the one that needs it? I cannot change the hostname of the application or use a custom port (I cannot change the URL the users see). Thanks.

 

9 Replies

  • It may seem counter intuitive, but you would need to apply a server SSL profile to the VIP and disable serverSSL for all non-HTTPS requests.

    when HTTP_REQUEST {
        switch -glob [string tolower [HTTP::uri]] {
            "/app1*" {
                SSL::disable serverside
                pool app1_pool
            }
            "/app2*" {
                SSL::disable serverside
                pool app2_pool
            }
            "/secure*" {
                pool secure_pool
            }
        }
    }
    
  • Don't specify any server SSL profile on your virtual server. Just enable a serverside SSL profile in your iRule.

     

    i understand we cannot enable serverssl profile without assigning serverssl profile to virtual server.

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      That is correct. You have to have a serverssl profile assigned to the VIP before you can disable it.
    • CU-Boulder_Hous's avatar
      CU-Boulder_Hous
      Icon for Nimbostratus rankNimbostratus
      Just to confirm the code in this post will not work as indicated?  Setting a variable in HTTP_REQUEST and then reading it and making the change in SERVER_CONNECTED event...https://devcentral.f5.com/s/feed/0D51T00006i7XLmSAM
    • would really be better to start a new question for a new question. the code from that URL might work if there already is a serverside profile applied to the virtual server and with this you just change it.
  • Don't specify any server SSL profile on your virtual server. Just enable a serverside SSL profile in your iRule.

     

    i understand we cannot enable serverssl profile without assigning serverssl profile to virtual server.

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      That is correct. You have to have a serverssl profile assigned to the VIP before you can disable it.
    • CU-Boulder_Hous's avatar
      CU-Boulder_Hous
      Icon for Nimbostratus rankNimbostratus
      Just to confirm the code in this post will not work as indicated? Setting a variable in HTTP_REQUEST and then reading it and making the change in SERVER_CONNECTED event... https://devcentral.f5.com/s/feed/0D51T00006i7XLmSAM
    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      would really be better to start a new question for a new question. the code from that URL might work if there already is a serverside profile applied to the virtual server and with this you just change it.