Translating an F5 rule
WBrown at e1b.org
WBrown at e1b.org
Tue Mar 19 15:42:59 UTC 2013
Peter Booth wrote on 03/19/2013 10:43:12 AM:
> The code does the following:
> 1. remove an HTTP header named "SWSSLHDR"
> 2. replaces it with SWSSLHDR: port, where the port is the local port of
> the "current context's TCP connection", presumably the port that your F5
> virtual server is listening on.
I had somewhat figured that out. It isn't clear from the notes I got from
vender as to what the current context is. I'm guessing the client side,
but I can test that.
> This is presumably to separate SSL and non SSL traffic , or to allow for
> load balancing across websites that are hosted on ports 8080, 8000 or
> other nonstandard ports.
> One thought- are you configuring the nginx server to terminate SSL and
> then proxy to a single upstream endpoint? Is this the same topology as
> the F5 one? Is the entire site SSL or just the login portions?
Presently, we are using an Centos box with Piranha for load balancing, but
we wish to implement SSL. There are about 50 sites hosted with three
upstream servers. I don't want to tie up 150 IP addresses for SSL on
them, so I want to terminate the SSL connection at the nginx server and
use HTTP on port 80 to connect from nginx to IIS.
The F5 information is just what the IIS application vendor says they use
in their configuration. We may be buying an F5 in the future, but I need
SSL in the short term.
Would I add to the location section something like this:
more_set_input_headers -r SWSSLHDR $server_port
If $server_port isn't correct, I could try $remote_port. Are there any
other port variables that I've missed?
>From my reading of the F5 docs, the "when HTTP_REQUEST" indicates this is
only processed on requests received from clients. Since they are always
removing the SWSSLHDR from incoming requests, then adding it again, I
think using the -r option is sensible and only adding it if it exists.
Now I'm off to rebuild nginx with HttpHeadersMoreModule.
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the nginx