Forum Discussion

Jim_Araujo_1061's avatar
Jim_Araujo_1061
Icon for Nimbostratus rankNimbostratus
Dec 09, 2013

iRule to choose SSL serverside Profile to use based on HTTP_REQUEST

Hi Folks,

 

I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example,

 

If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com

 

I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use.

 

here is my code thus far.

 

when HTTP_REQUEST {
    HTTP::header remove "Accept-Encoding"   

    switch [string tolower [HTTP::host]] {
        "abc.example.com" {
           Server ssl profile select goes here
            pool abc_pool_https
        }
        "xyz.example.com" { 
            Server ssl profile select goes here
        pool xyz_pool

    }
}
  • Figured it out! Had to add a variable in the HTTP_REQUEST and add the event for SERVER_CONNECTED. See code below.

     

    Hi Folks,

     

    I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example,

     

    If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com

     

    I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use.

     

    here is my code thus far.

     

    when HTTP_REQUEST {
        HTTP::header remove "Accept-Encoding"   
    
        switch [string tolower [HTTP::host]] {
            "abc.example.com" {
               Server ssl profile select goes here
                pool abc_pool_https
            }
            "xyz.example.com" { 
                set doSSL 1
            pool xyz_pool
    
        }
    }
    when SERVER_CONNECTED {
         if { $doSSL == 1 }{
           SSL::enable serverside
           SSL::profile serverssl-insecure-compatible
         }.
    
    }
  • This is older but I wanted to ad my notes/comments because I just ran into this. Hope this helps someone out in the future.

    I added a default ssl server profile to my VIP. Then updated my primary irule to initially disable the server side ssl for all sites and then renable it on the website that I needed it on.

    when CLIENT_ACCEPTED {
    SSL::disable serverside
    }
    
    when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
      site1.website.com { pool site1.website.com_pool }
      site2.website.com { pool site2.website.com_pool }
      SSLsite3.website.com { 
       SSL::enable serverside
       pool SSLsite3.website.com_pool 
       }
      site4.website.com { pool site4.website.com_pool }
     default { reject }
    }
    }
    
  • Hi,

     

    You can do easier since version 11.5 (feature is available in 11.4 but not working...) with Local traffic policies.

     

    Rule 1:

     

    • Condition :
      • HTTP-host host site1.website.com
    • action :
      • forward pool site1.website.com_pool
      • serverssl disable

    Rule 2:

     

    • Condition :
      • HTTP-host host site2.website.com
    • action :
      • forward pool site2.website.com_pool
      • serverssl disable

    Rule 3 (SSL Site):

     

    • Condition :
      • HTTP-host host site3.website.com
    • action :
      • forward pool site3.website.com_pool