URI Rule in Rewrite profile disable Server SSL profile?

Piotr,

I guess you discovered a feature not documented.

you can :

• contact your local F5 team to ask for information.
• open a support case to confirm it's the expected behavior
• troubleshoot yourself how it is working (multiple rewrite rules depending on the URI and capture server side traffic to see if the F5 send the CLIENT_HELLO packet)

Of course, don't forget to share here the information.

I guess the last solution will be quicker than others ;-) . we are still waiting for a clientless feature documentation since several years.

Hi,

Will try to go via Support.

I am not sure about your last advice:

troubleshoot yourself how it is working (multiple rewrite rules depending on the URI and capture server side traffic to see if the F5 send the CLIENT_HELLO packet)

I already checked that when http is set in Server URI then BIG-IP is not sending any CLIENT_HELLO packets but still sending to port 443.

Immediately after changing http to https Server SSL profile starts to work - normal SSL Handshake performed and traffic encrypted.

What is strange that seems to be not a case if Local Traffic Policy is used to switch between Pools with selective disabling Server SSL.

Will have to test but I pretty sure that even if there is URI Rule http <-> http but selected pool member is using Server SSL it is not disabled - encryption works.

Piotr

I confirm that even if Local Traffic Policy is configured to disable serverssl, it first send CLIENT_HELLO, then fallback to cleartext...

Hmm, do you mean that disabling Server SSL via LTP is not working? I had LTP where depending on request Host header Server SSL is kept enabled (two FQDNS) and disabled (one FQDN) - never noticed issue with sending unecrypted traffic to backend - but never noticed CLIENT_HELLO as well because most often my Wireshark was set with http filter :-)

I did however notice some strange errors in LTM log related to VS with LTP:

transaction failed:010716e2:3: Policy '/Common/Drafts/something', rule 'some rule'; an action precedes its conditions.

This is in fact related to rule that is not disabling Server SSL.

Piotr

we discovered this behavior after upgrade to version 13.0 because of ssl log level change since version 12.0 https://support.f5.com/csp/article/K15292

the issue is a serverssl disable / enable is per client side connection on client side context. if the first server side connection used a SSL connection, it can't disable SSL for the following server side connection.

to summarize, SSL::disable serverside or LTP disable serverssl can't disable server side ssl per request.

I wrote following rule for this behavior (this is not the one I tested, I rewrite it here)

when HTTP_REQUEST {
    if {[POLICY::targets serverssl] } {
        set disable_server_ssl 1
    } else {
        set disable_server_ssl 0
    }
}

when SERVER_CONNECTED {
    if { $disable_server_ssl == 1 } then {
        SSL::disable serverside
    }
}

Thanks for info. To be 100% sure - is this related to v13 or it should not work as well in v12?

I will redo the tests but I am 99% sure that I tried such sequence (one VS with LTP and Server SSL profile):

• Connect to FQDN directing to SSL backend - works
• Connect to FQDN directing to no SSL backend - works
• Connect to FQDN directing to another SSL backend - works

Never noticed this issue - but I am on 12.1.2 as already mentioned.

Piotr

The issue I had is when sharing same fqdn and disable SSL based on URI!

Thanks for info, good to know. I never used such scenario so that is why I never experienced problem.

I thing that it can be caused by fact that same TCP Connection on client side is used for request to different URIs that can be passed to different backends - some with SSL some without - what do you think?

Wonder if OneConnect or some one to force client to establish new TCP connection when there is backend switch would solve it?

Piotr

Hi Stan,

Weird that I forgot about this conversation 🙂

One correction to your iRule:

if {[POLICY::targets serverssl] } {

if {[POLICY::targets server-ssl] } {

BTW - thanks for pointing out how to use POLICY::targets, it is very useful to make iRule more universal!

Did some tests and can't find a problem with server ssl disable in LTP, either in 13.1.1.3 it was corrected or I have not enough sample traffic to trigger error.

Tested LTP like below switching between HTTPS and HTTP to the same server based on URL. It just works. / is sending traffic over HTTPS and /nossl over HTTP, I can repeat switching forever and can't trigger error.

LTP used

ltm policy test-disable-serverssl-per-request {
    controls { forwarding server-ssl }
    description "If URL is /nossl disable serverssl"
    draft-copy Drafts/test-disable-serverssl-per-request
    last-modified 2019-02-28:11:50:07
    requires { http }
    rules {
        change-host_r {
            actions {
                0 {
                    log
                    write
                    facility local0
                    message "tcl:VS: \"[getfield [virtual name] / 3]\"; Host: \"[HTTP::host]\"; URI: \"[HTTP::uri]\""
                    priority info
                }
                1 {
                    http-host
                    replace
                    value "tcl:[class match -value [getfield [HTTP::host] : 1] equals vh-parent-https-https-vs_dg]"
                }
            }
            description "Change Host header for any other URL"
            ordinal 1
        }
        disable-serverssl-via-url_r {
            actions {
                0 {
                    log
                    write
                    facility local0
                    message "tcl:VS: \"[getfield [virtual name] / 3]\"; Host: \"[HTTP::host]\"; URI: \"[HTTP::uri]\""
                    priority info
                }
                1 {
                    http-host
                    replace
                    value "tcl:[class match -value [getfield [HTTP::host] : 1] equals vh-parent-https-https-vs_dg]"
                }
                2 {
                    server-ssl
                    disable
                }
                3 {
                    forward
                    select
                    pool vh-site41-80_pl
                }
            }
            conditions {
                0 {
                    http-uri
                    path-segment
                    index 1
                    values { nossl }
                }
            }
            description "Disables serverssl when /nossl URL is discovered; changes Host header"
        }
    }
    status published
    strategy first-match
}

So I am bit puzzled how to trigger issue you described - any hint?

Piotr