Translating an F5 rule

WBrown at e1b.org WBrown at e1b.org
Tue Mar 19 15:42:59 UTC 2013


Peter Booth wrote on 03/19/2013 10:43:12 AM:

> The code does the following:
> 
> 1. remove an HTTP header named "SWSSLHDR"
> 2. replaces it with SWSSLHDR: port, where the port is the local port of
> the "current context's TCP connection", presumably the port that your F5
> virtual server is listening on. 

I had somewhat figured that out.  It isn't clear from the notes I got from 
vender as to what the current context is.  I'm guessing the client side, 
but I can test that.
 
> This is presumably to separate SSL and non SSL traffic , or to allow for
> load balancing across websites that are hosted on ports 8080, 8000 or
> other nonstandard ports. 
> 
> One thought- are you configuring the nginx server to terminate SSL and
> then proxy to a single upstream endpoint? Is this the same topology as
> the F5 one? Is the entire site SSL or just the login portions?

Presently, we are using an Centos box with Piranha for load balancing, but 
we wish to implement SSL.  There are about 50 sites hosted with three 
upstream servers.  I don't want to tie up 150 IP addresses for SSL on 
them, so I want to terminate the SSL connection at the nginx server and 
use HTTP on port 80 to connect from nginx to IIS.

The F5 information is just what the IIS application vendor says they use 
in their configuration.  We may be buying an F5 in the future, but I need 
SSL in the short term.

Would I add to the location section something like this:

        more_set_input_headers -r SWSSLHDR $server_port 

If $server_port isn't correct, I could try $remote_port.  Are there any 
other port variables that I've missed?

>From my reading of the F5 docs, the "when HTTP_REQUEST" indicates this is 
only processed on requests received from clients.  Since they are always 
removing the SWSSLHDR from incoming requests, then adding it again, I 
think using the -r option is sensible and only adding it if it exists.

Now I'm off to rebuild nginx with HttpHeadersMoreModule.




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.



More information about the nginx mailing list