Welcome! Log In Create A New Profile

RE: Translating an F5 rule

Forum List Message List New Topic Print View

w.b

March 19, 2013 11:44AM

Registered: 11 years ago
Posts: 9

Peter Booth wrote on 03/19/2013 10:43:12 AM:

> The code does the following:
>
> 1. remove an HTTP header named "SWSSLHDR"
> 2. replaces it with SWSSLHDR: port, where the port is the local port of
> the "current context's TCP connection", presumably the port that your F5
> virtual server is listening on.

I had somewhat figured that out. It isn't clear from the notes I got from
vender as to what the current context is. I'm guessing the client side,
but I can test that.

> This is presumably to separate SSL and non SSL traffic , or to allow for
> load balancing across websites that are hosted on ports 8080, 8000 or
> other nonstandard ports.
>
> One thought- are you configuring the nginx server to terminate SSL and
> then proxy to a single upstream endpoint? Is this the same topology as
> the F5 one? Is the entire site SSL or just the login portions?

Presently, we are using an Centos box with Piranha for load balancing, but
we wish to implement SSL. There are about 50 sites hosted with three
upstream servers. I don't want to tie up 150 IP addresses for SSL on
them, so I want to terminate the SSL connection at the nginx server and
use HTTP on port 80 to connect from nginx to IIS.

The F5 information is just what the IIS application vendor says they use
in their configuration. We may be buying an F5 in the future, but I need
SSL in the short term.

Would I add to the location section something like this:

more_set_input_headers -r SWSSLHDR $server_port

If $server_port isn't correct, I could try $remote_port. Are there any
other port variables that I've missed?

From my reading of the F5 docs, the "when HTTP_REQUEST" indicates this is
only processed on requests received from clients. Since they are always
removing the SWSSLHDR from incoming requests, then adding it again, I
think using the -r option is sensible and only adding it if it exists.

Now I'm off to rebuild nginx with HttpHeadersMoreModule.

Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Translating an F5 rule	w.b	March 19, 2013 10:16AM
RE: Translating an F5 rule	Peter Booth	March 19, 2013 10:44AM
Re: Translating an F5 rule	Jeffrey 'jf' Lim	March 19, 2013 11:12AM
RE: Translating an F5 rule	w.b	March 19, 2013 11:44AM
Re: Translating an F5 rule	Igor Sysoev	March 20, 2013 03:06AM
Re: Translating an F5 rule	Jeffrey 'jf' Lim	March 20, 2013 04:18AM
Re: Translating an F5 rule	w.b	March 21, 2013 08:20AM
Re: Translating an F5 rule	peter	March 19, 2013 12:56PM
Re: Translating an F5 rule	w.b	March 19, 2013 02:06PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 181

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018