Forum Discussion

atoth's avatar
atoth
Icon for Cirrus rankCirrus
Mar 02, 2017

http to http without a 30x redirect?

Sorry, question should say http to https without a 30x redirect.

 

when HTTP_Request {
if 
set usessl 1

} else {
set usessl 0

}
}
when Server_Connected {
if { $usessl == 1 } {
ssl::profile 
} else {
ssl::disable
}

Code

What I'm trying to do is go from a unencrypted vip to an encrypted vip without using a 301 redirect. What I've done is put a server ssl profile on the vip and hoped that it would use when it connected to the destination vip, but when I curl to the source vip, it looks like the ssl session fails prematurely. Anyone know what might be going on?

 

application delivery
iRules

4 Replies

Sort By
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Mar 02, 2017

    Your code looks good for me. What are you using in "" ? Are you just placing the SSL pool? Could you share the VS setup?

     

  • svs's avatar
    svs
    Icon for Cirrus rankCirrus
    Mar 02, 2017

    Why don't you use a LTM policy to achieve your goal? When you use an iRule profiles need to be already in place, although you only want to enable a profile if a special condition is met. With LTM policies you can enable or disable features on the VS, without enabling a profile within the VS itself before.

     

    Since v12 LTM policies are very clear and straightforward. In v11 they are usable but it's hard to understand the GUI correctly.

     

    Greets, svs

     

  • atoth's avatar
    atoth
    Icon for Cirrus rankCirrus
    Mar 02, 2017

    Your code looks good for me. What are you using in "" ? Are you just placing the SSL pool? >Could you share the VS setup?

     

    So this is the full irule. The destination vip makes use of SNI, so I've tried both changing the destination vip header to what it expects and using a custom server ssl profile together, but that didn't seem to work.

     

    when HTTP_Request {
if { [HTTP::uri] starts with "/Fwoosh/" } {
set uri [string range [HTTP::uri] 8 end]
set usessl 1
HTTP::header replace "Host" ""
HTTP::uri "/Bar/$uri"
node  443
} else {
set usessl 0

}
}
when Server_Connected {
if { $usessl == 1 } {
ssl::profile 
} else {
ssl::disable
}
when HTTP_Response {
if { [HTTP:is_redirect] } {
HTTP::header replace "Host" ""
}
}

    Since v12 LTM policies are very clear and straightforward. In v11 they are usable but it's hard to >understand the GUI correctly.

     

    On version 11.x code. Probably not going to upgrade to v12 for awhile.

     

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Mar 02, 2017

    So if I understand you correctly, you wish to send traffic to two different pools. Where one pool uses HTTP servers and the other pool uses HTTPS servers? So based on the URI the BIG-IP virtual server it can serve both websites originating from either HTTP or HTTPS, while the client continues to stay connected to the same virtual server talking for example HTTP?

     

    Maybe this piece of code helps you going:

     

    when CLIENT_ACCEPTED {
    SSL::disable serverside
}

when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/Fwoosh/" } {
        set uri [string range [HTTP::uri] 8 end]
        HTTP::header replace "Host" ""
        HTTP::uri "/Bar/$uri"
        LB::detach
        SSL::enable serverside
        pool some_https_pool
    }
}

    Your VS will need a default_pool (HTTP) and an attached serverssl profile.