Forum Discussion

Antonio_Varni's avatar
Antonio_Varni
Icon for Nimbostratus rankNimbostratus
Aug 18, 2010

'generic' detect SSL::mode irule

I swear I had this working a long time ago on 9.4. I'm on 10.2 now and currently have a default irule that we use for all vips (http and https) as well as an additional irule we use for all https vips that simply does: rule insertHeader_sslInfo { when HTTP_REQUEST { HTTP::header replace SSLMode "True" } so our back end apps know the connection between the client and load balancer is secure. I want to fold this irule into our 'default' irule like: when HTTP_REQUEST { if { [SSL::mode] == 1 } { HTTP::header replace SSLMode "True" } But I get the error when I try to apply this to HTTP vips: " SSL::mode in rule (irule-default-test) requires an associated SERVERSSL or CLIENTSSL profile on the virtual server (example.com-http)." Is there any other way I can accomplish this? tia!
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Philip_L's avatar
    Philip_L
    Icon for Nimbostratus rankNimbostratus
    Sep 02, 2010
    Nothing on this? I am trying the same thing and it looks like SSL::mode was removed in 10.
  • Philip_L's avatar
    Philip_L
    Icon for Nimbostratus rankNimbostratus
    Sep 02, 2010
    FYI I came accross this instead.

     

     

    when CLIENT_ACCEPTED {

     

    set isSSL 0

     

    if { [TCP::local_port] == 443 } {

     

    set isSSL 1

     

    }

     

    }

     

     

    I use that instead of SSL:mode. Hope that helps
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 20, 2010
    I think SSL::mode still exists but the validation around it has been tightened: 

    
when HTTP_REQUEST {

   set ssl_mode_cmd "SSL::mode"
   if { [eval $ssl_mode_cmd] == 1 } {
      HTTP::header replace SSLMode "True"
   } else {
      HTTP::header remove SSLMode
   }
}

    Setting isSSL to 0 or 1 won't actually modify the request in any way. And checking the port won't stop someone from sending HTTP on port 443.

    Aaron