Forum Discussion

Aditya_Mehra's avatar
Aditya_Mehra
Icon for Cirrus rankCirrus
Feb 22, 2019

iRule for redirection for ssl and non ssl on same port

Hi All, I have Virtual Server on a port 1500. The SSL terminates here as well.

 

I need help in a iRule to send traffic to different pools for ssl and non ssl traffic. SSL request on port 1500 goes to pool 1

 

Non ssl request on 1500 port goes to pool 2

 

Thanks, Aditya

 

application delivery
BIG-IP
irule
iRules
ssl

5 Replies

Sort By
  • Dave_McCauley_3's avatar
    Dave_McCauley_3
    Icon for Cirrostratus rankCirrostratus
    Feb 22, 2019

    So do you have two different virtual servers, one on 1500 and one on 1550? Just use a default pool for each of those.

     

    If you have only a virtual server on port 1500, just create a second virtual server on 1550 and have it go to the other pool. No iRule needed.

     

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Feb 24, 2019

    Hi Aditya,

    It is doable, lets say below is your requirement,

    • VIP is 1.1.1.1:1500
    • Pool1 servers are non-ssl servers
    • Pool2 servers are ssl servers
    • You want http & https to work on 1.1.1.1:1500 VIP.
    • http traffic to goto Pool1
    • https traffic to goto Pool2

    1st, you have to create a clientssl profile which would accept both ssl and non-ssl traffic.

    tmsh create ltm profile client-ssl  allow-non-ssl enabled

    2nd, you have to create the irule,

    ltm rule ssl-and-nonssl-irule {
when CLIENT_ACCEPTED {
set https_state 0
log local0. "Lets set https_state value to as 0, meaning its a HTTP traffic"
}

when CLIENTSSL_HANDSHAKE {
set https_state 1
log local0. "Lets set https_state value to as 1, meaning its a HTTPS traffic"
}

when HTTP_REQUEST {
if { $https_state == 0 } {
pool pool_1
log local0. "https_state value is 0, meaning its a HTTP traffic & HTTP Pool will be selected"
} else {
pool pool_2
log local0. "https_state value is 1, meaning its a HTTPS traffic & HTTPS Pool will be selected"
}
}

when SERVER_CONNECTED {
if { $https_state == 0} {
log local0. "https_state value is 0, meaning its a HTTP traffic & forcing serverside SSL should not be selected"
SSL::disable serverside
log local0. "pool_1 connected"
} elseif {$https_state == 1} {
log local0. "https_state value is 1, meaning its a HTTPS traffic & serverside SSL would be selected"
log local0. "pool_2 connected"
}
}
}

    Finally have the custom-clientssl & serverssl profiles added to your VS. Add the Irule too. It would be something like below,

    ltm virtual test-ssl-nonssl {
    destination 1.1.1.1:1500
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        http { }
        custom-clientsslprofile-name {
            context clientside
        }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        ssl-and-nonssl-irule
    }
    source 0.0.0.0/0
    source-address-translation {
        pool xxxx
        type snat
    }
    translate-address enabled
    translate-port enabled
    vs-index 123
}

    Let me know how it goes.