Forum Discussion

Brian_Dantzig's avatar
Brian_Dantzig
Icon for Nimbostratus rankNimbostratus
Jul 03, 2012

selective drop of SSL

I have a virtual server that has client and server ssl profiles so that incoming HTTPS is terminated then after processing is re-encrypted to the pool. There is an iRule that inspects the HTTP requests and for certain paths it changes the pool. I have done this before. However, I want to send some requests to a pool of servers that are HTTP not HTTPS. I tried this once before by dropping the encryption in the iRule but that drops it for all subsequent requests down the connection including ones destined for the encrypted pool/servers.

 

Any ideas on how to accomplish this?

 

2 Replies

  • Depending on how many paths you would like to exclude from encryption, you could use a couple of different methods. The simplest method for a single path:

    when CLIENT_ACCEPTED {
      SSL::disable serverside
    }
    
    when HTTP_REQUEST { 
      if {!([string tolower [HTTP::path]] starts_with "/standardhttppath") } {
        SSL::enable serverside
        }
    }
     Or, if you have many paths that you would like to list in a data group (called 'standard_http_dg' in this example) 
     when CLIENT_ACCEPTED {
      SSL::disable serverside
    }
    
    when HTTP_REQUEST {
      if { ![class match [string tolower [HTTP::path]] starts_with standard_http_dg] } {
        SSL::enable serverside
        }
    }

    Regards,

    Eric
  • Thank you. I'll give it a try. Are there performance concerns with this? It looks like we might be doing a lot of extra SSL negotiations.