Forum Discussion

Rajesh_07_16489's avatar
Rajesh_07_16489
Icon for Nimbostratus rankNimbostratus
Jan 29, 2015

Using http event when traffic is encrypted from client to server (SSL offload is not done at f5 end)

Folks,

 

Can you pls advise whether can we able to use http event when traffic is encrypted from client to server (SSL offload is not done at f5 end).

 

My requirement is to forward traffic to only one pool member from the pool of pool members through an irule when SSL offload is not done at f5 end.

 

Thanking you in advance.

 

4 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Rajesh - quick answer is no you can't use any http events in an irule. Big-ip won't have the visibility.

     

    You would have to use CLIENT_ACCEPTED event and then filter on port perhaps using TCP:local_port and then direct to a pool member with the pool command (pool my_Pool member x.x.x.x 443)

     

    Hope this helps,

     

    N

     

  • Hi Nathan, I have gotten exact requirement from client now. I suppose, you can be able to help me over here. Client’s laptop has local host entries for abc.com, xyz.com,console.com, ddd.com and these host entries are pointed to single VIP.

     

    This is current scenario: 1.abc.com, xyz.com,console.com,ddd.com f5 VIP (1.1.1.1)  2 back end servers (LB – Predictive method and Primary - 192.168.1.2, Secondary - 192.168.1.3) 2.SSL encryption is happening from client to server and we will not be able to do SSL interception at f5 end.

     

    Requirement as follows: When users use console.com, irule should be invoked and request always should reach primary server’s console and if primary is down, request should go to secondary one. For remaining host entries, traffic flow should happen as per our current scenario explained above. Note: I think, users may use URI along with host entry of local machine in order to reach particular path of the application.

     

    To my knowledge , If SSL interception is done at f5 end, then we can use http:host header value to define Irule else we have to define it based upon client source IP address.

     

    Not sure, how can we approach this scenario. Kindly help me if we have any best solution for this scenario.