I feel foolish for not knowing this but I have a really basic redirect question. I have a server (maintained by a different team) that is listening for SSL connections on 7004 for a specific URI. For example: 10.5.x.x:7004/specific_example/ I want to setup a virtual server to listen for inbound requests on port 443 and then forward them to the server on the backside. I know how to write an irule to append the "/specific_example/" to the inbound request, but something isn't working. I am doing this exact scenario with another server/team with the only difference being that I'm offloading SSL and not reencrypting on the backside as I was able to talk the other team into disabling SSL on their server. In this example the server needs to continue listening for SSL traffic so I have added the SSLserver profile, which is how I think you re-encrypt, but i have a feeling something isn't translating b/c when I go to the virtual server i'm getting a 404, but when i go to the actual server I am able to get the web page to load.

Can you post the configuration for this virtual server and the iRule that you're using? Via CLI - tmsh list ltm virtual (vs-name) You are correct - server-ssl profiles re-encrypt traffic to the pool member, and client-ssl profiles terminate SSL connections from the user at the F5. If you are receiving a 404 response, it appears as if IP/TCP traffic is properly flowing to/from the server and that SSL handshakes are occurring, the server just doesn't have the URL being requested. If traffic wasn't flowing or handshakes weren't occurring, you would see timeouts or TCP resets, assuming the iRule isn't configured to respond with a 404. Testing via curl may also help - curl https://(vs-ip):(vs-port)/(url) -vv

So, clientssl and serverssl will decrypt and then re-encrypt on the backend so you're right on this. 404 is a page cannot be found so can you specifically check the full URL when you go via the VS (failing) and direct to the server (working). Might be a difference here?

strange, when I do the tmsh list ltm virtual i only show one virtual server (i have at least 30 configured). I am assuming this is b/c I used a template to create the virtual server...is there a way to show it if I used a template?

Really basic redirect question

21 Replies

shaggy
Nimbostratus
Oct 08, 2014
Can you post the configuration for this virtual server and the iRule that you're using? Via CLI -
tmsh list ltm virtual (vs-name)

You are correct - server-ssl profiles re-encrypt traffic to the pool member, and client-ssl profiles terminate SSL connections from the user at the F5. If you are receiving a 404 response, it appears as if IP/TCP traffic is properly flowing to/from the server and that SSL handshakes are occurring, the server just doesn't have the URL being requested. If traffic wasn't flowing or handshakes weren't occurring, you would see timeouts or TCP resets, assuming the iRule isn't configured to respond with a 404.

Testing via curl may also help -
curl https://(vs-ip):(vs-port)/(url) -vv
- dp_119903
  Cirrostratus
  Oct 08, 2014
  strange, when I do the tmsh list ltm virtual i only show one virtual server (i have at least 30 configured). I am assuming this is b/c I used a template to create the virtual server...is there a way to show it if I used a template?
- shaggy
  Nimbostratus
  Oct 08, 2014
  if all of your iApps were created in /Common, tmsh list ltm virtual recursive
- dp_119903
  Cirrostratus
  Oct 08, 2014
  I went ahead and deleted the app and added it manually so that I could display it here: ltm virtual MyToken_RSA_http { destination 10.5.135.223:http ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { _sys_https_redirect } vlans-disabled } ltm virtual MyToken_RSA_https { destination 10.1.1.223:https ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } pool MyToken_RSA_pool profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { MyToken } vlans-disabled }
shaggy_121467
Cumulonimbus
Oct 08, 2014
Can you post the configuration for this virtual server and the iRule that you're using? Via CLI -
tmsh list ltm virtual (vs-name)

You are correct - server-ssl profiles re-encrypt traffic to the pool member, and client-ssl profiles terminate SSL connections from the user at the F5. If you are receiving a 404 response, it appears as if IP/TCP traffic is properly flowing to/from the server and that SSL handshakes are occurring, the server just doesn't have the URL being requested. If traffic wasn't flowing or handshakes weren't occurring, you would see timeouts or TCP resets, assuming the iRule isn't configured to respond with a 404.

Testing via curl may also help -
curl https://(vs-ip):(vs-port)/(url) -vv
- dp_119903
  Cirrostratus
  Oct 08, 2014
  strange, when I do the tmsh list ltm virtual i only show one virtual server (i have at least 30 configured). I am assuming this is b/c I used a template to create the virtual server...is there a way to show it if I used a template?
- shaggy_121467
  Cumulonimbus
  Oct 08, 2014
  if all of your iApps were created in /Common, tmsh list ltm virtual recursive
- dp_119903
  Cirrostratus
  Oct 08, 2014
  I went ahead and deleted the app and added it manually so that I could display it here: ltm virtual MyToken_RSA_http { destination 10.5.135.223:http ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { _sys_https_redirect } vlans-disabled } ltm virtual MyToken_RSA_https { destination 10.1.1.223:https ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } pool MyToken_RSA_pool profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { MyToken } vlans-disabled }
nathe
Cirrocumulus
Oct 08, 2014
So, clientssl and serverssl will decrypt and then re-encrypt on the backend so you're right on this. 404 is a page cannot be found so can you specifically check the full URL when you go via the VS (failing) and direct to the server (working). Might be a difference here?