Proxy SSL and virtual command in iRule

Question

Hi,&nbsp;
I am trying to setup switching VS. So there is VS with iRule that based on uri is directing traffic to different VS on the same LTM.&nbsp;
I like to use https for both switching VS and target VSs but it seems not to be working as I expected. My target VSs are using clientssl profile with cert/key pair for domain *.domain.com.&nbsp;
For my switching VS I used both clientssl (to terminate ssl from clients and execute iRule) and serverssl to reencrypt traffic before it's send to target VSs. I am using same cert/key for both client and server profiles on switching VS - same cert/key as used in clientssl on target VSs.&nbsp;
Still I am getting TCP reset even before iRule seems to be executed. I suspect that it's because iRule is not executed before ssl handshake with target server is finished. Then because target server is selected inside iRule there is no server selected for performing initial ssl handshake.&nbsp;
Am I right? If so, is there any way to create such switching scenario when https is used?&nbsp;
Piotr&nbsp;

max_q_factor · Answer

Can you scrub your irule to remove implementation specific info (like IPs etc.) and post the relevant parts here?

dragonflymr · Answer

Well, this is not secret iRule 🙂 just used one provided in Project Acceleration Tech article. Here is is:
    when HTTP_REQUEST {

Insert Cookies for policy switching
  set setcookie ""
  log local0. "Cookie $setcookie"
  log local0. "Client [IP::client_addr] connected from switch"  
  switch [string tolower [HTTP::uri]] {
    "/none" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=none; Expires=Thu, 01 Jan 1970 00:00:01 GMT\""
    }
    "/tcp" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=tcp\""
    }
    "/compress" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=compress\""
    }
    "/ibr" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=ibr\""
    }
    "/img" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=img\""
    }
    "/reorder" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=reorder\""
    }
    "/spdy" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=spdy\""
    }
    "/http2" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=http2\""
    }
    "/oc" {
        set setcookie " \"Set-Cookie\" \"X-WA-Policy=OneConnect\""
    }
  }

log local0. "Cookie $setcookie"

if { [string length $setcookie] &gt; 0 } {  
    HTTP::uri "/"  
    set cmd "HTTP::respond 302 Location \"https://sklep.rossnet.pl[HTTP::uri]\" $setcookie"
    eval $cmd
    return
  } 
  if { [string tolower [HTTP::uri]] eq "/current" } {
    HTTP::respond 200 content "Current cookie setting for X-WA-Policy is: [HTTP::cookie "X-WA-Policy"]"
  }

set vip "/Common/v.dc.wa_default_0.app/v.dc.wa_default_0_vs"
  switch [string tolower [HTTP::cookie "X-WA-Policy"]] {
    "tcp" { 
      set vip "/Common/v.dc.wa_default_0.app/v.dc.wa_default_0_vs" 
      COMPRESS::disable
    }  
    "compress" { 
      set vip "/Common/v.dc.wa_compress_1.app/v.dc.wa_compress_1_vs" 
      COMPRESS::enable
    }
    "ibr" {
      set vip "/Common/v.dc.wa_ibr_2.app/v.dc.wa_ibr_2_vs" 
      COMPRESS::enable
    }
    "img" { 
      set vip "/Common/v.dc.wa_img_3.app/v.dc.wa_img_3_vs" 
      COMPRESS::enable
    }
    "reorder" { 
      set vip "/Common/v.dc.wa_reorder_4.app/v.dc.wa_reorder_4_vs" 
      COMPRESS::enable
    }
    "spdy" { 
      set vip "/Common/v.dc.wa_spdy_5.app/v.dc.wa_spdy_5_vs" 
      COMPRESS::enable
    }
   "http2" { 
      set vip "/Common/v.dc.wa_http2_6.app/v.dc.wa_http2_6_vs" 
      COMPRESS::enable
    }
   "OneConnect" { 
      set vip "/Common/v.dc.wa_oc_7.app/v.dc.wa_oc_7_vs" 
      COMPRESS::enable
    }
    default { 
      set vip "/Common/v.dc.wa_default_0.app/v.dc.wa_default_0_vs" 
      COMPRESS::disable
    }
  }

log local0. "Virtual $vip"
  virtual $vip
}
when HTTP_RESPONSE {
  HTTP::header insert "X-DC-Virtual" $vip
}

Still from log with ssl debug enabled it looks like switching VS (with iRule attached) when set as Proxy SSL is trying to pass SSL Handshake to the member of the attached pool (single member pool). That looks logical looking on Proxy SSL definition in docs.
I am just looking a way to use https on the client (to test spdy and http2 profile - it's not possible to assign this profile to VS without enabling SSL termination on the VS) via switching VS to target VS (the one with spdy or http2 profile).
If I will terminate SSL on switching server the traffic passed to target VS in http and mentioned profiles will not work. If I will pass through ssl via switching VS (no decryption/encryption) then iRule will not work.
If I am using Proxy SSL on switching server then it is trying to pass SSL handshake to attached pool member before even reaching iRule (logical) so SSL Handshake is failing (member is http).
Just running out of ideas here 😞
Piotr

dragonflymr · Answer

Well, I am answering my own question :-). Simple solution was to use SSL Bridging, switching VS using clientssl and serverssl without setting ProxySSL.

Piotr

Forum Discussion

Proxy SSL and virtual command in iRule

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition-Explicit Proxy

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

F5 TCP Proxy mode

SSL PROXY