Forum Discussion

dwillis619_3073's avatar
dwillis619_3073
Icon for Nimbostratus rankNimbostratus
May 26, 2017

Dynamically remove serverssl profile

My question is how the iRule should look to dynamically remove the serverssl profile when traffic goes to pool using 80. I have a pool with a WAF and a real server set in priority groups with the WAF being the priority (100) and real server secondary (10). The WAF accepts port 80 but if the WAF is not available traffic will forward directly to the real server using port 443. I read best practice is to have serverssl applied to VIP and have iRule strip it away instead of adding it when needed. Here is the syntax of the iRule that I beleive may work and looking for confirmation and adjustments. Thanks

 

when CLIENT_ACCEPTED { if { [TCP::local_port] == 80} { SSL::disable pool myPool } elseif { [TCP::local_port] == 443 } { pool myPool } else { discard } }

 

application delivery
iRules

2 Replies

Sort By
  • Anesh's avatar
    Anesh
    Icon for Cirrostratus rankCirrostratus
    May 26, 2017

    Some suggestions:

    when CLIENT_ACCEPTED { 

if { [TCP::local_port] == 80} { 

SSL::disable 
pool myPool_80 

} elseif { [TCP::local_port] == 443 } { 
SSL::enable
pool myPool_443
} 
}
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    May 27, 2017

    Hi,

    I assume your config is like that:

    • VS
      • IP:443
      • clientssl profile
      • serverssl profile
      • Pool
        • member_WAF - IP:80, priority 100, default target for traffic, should receive unencrypted traffic
        • member_srv - IP:443, priority 10, backup target, should receive encrypted traffic

    If it's the case try this iRule

    when CLIENT_ACCEPTED {
    SSL::disable serverside
    set https 0
}

when LB_SELECTED {
    set https [expr {[LB::server port] == 443}]
}

when SERVER_CONNECTED {
    if { $https } {
        SSL::enable serverside
    }
}

    It will disable serverssl by default in CLIENT_ACCEPTED as most often traffic will go to HTTP member. If however LB selects member with port 443 (so your backend srv instead of WAF) then serverssl profile is enabled before starting TCP session on server side.

    Piotr