Forum Discussion

Jeremy_Schonebe's avatar
Jeremy_Schonebe
Icon for Nimbostratus rankNimbostratus
Jun 09, 2017

SSL Offloading using iRules

Hello - I have the following iRule in place for an internal application.

when CLIENT_ACCEPTED {

if {([TCP::local_port] == 80 )} { pool MWS-MDU-COM_HTTP_POOL }
elseif {([TCP::local_port] == 8090 )} { pool MWS-MDU-COM_8090_POOL } 
elseif {([TCP::local_port] == 8000 )} { pool MWS-MDU-COM_8000_POOL }
elseif {([TCP::local_port] == 8085 )} { pool MWS-MDU-COM_8085_POOL }    
else reject }

I am using the same Virtual Server for each of these pools. Now the developer would like to use 443 instead of 80 (first "if" statement) and do the SSL offloading at the F5. I have a wildcard cert that I can use for this already imported on our F5. I am just curious how to re-write this iRule to make this happen?

- Thanks in advance
  • Hi,

    If I am not wrong you need to accept HTTPS on standard 443 port instead of HTTP on 80, what about other ports, I assume those still will use HTTP on client side?

    If it is so, first step is of course to attach clientssl profile to VS and then selectively enable it in iRule, something like that:

    Something like that:

    when CLIENT_ACCEPTED {
        SSL::disable
        if {([TCP::local_port] == 443 )} {
            SSL::enable
            pool MWS-MDU-COM_HTTP_POOL
        }
        elseif {([TCP::local_port] == 8090 )} {
            pool MWS-MDU-COM_8090_POOL
        } 
        elseif {([TCP::local_port] == 8000 )} {
            pool MWS-MDU-COM_8000_POOL
        }
        elseif {([TCP::local_port] == 8085 )} {
            pool MWS-MDU-COM_8085_POOL
        }    
        else reject
    }
    

    BTW: It is not important to have wildcard cert, anyway you are using one VS mapped to one FQDN so you can use standard FQDN based one, ports changes are relevant for SSL.

    Piotr