Options
SSL security and Service group selection
Hi,
I am currently using an a script that redirects incoming requests to specific service groups based on the host and uri. This is used for various stages in our software testing and QA cycle, an excerpt of the script can be found below:
# Provides Service Group Selection based on both Host and URI
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host][HTTP::uri]] {
"secure453.company.local/messaging/*" {
pool "rt01 - mesaging"
}
"secure453.company.local/admin/*" {
pool "rt01 - admin"
}
"secure442.company.local/admin/*" {
pool SYSTEM_TEST-Admin
}
"secure442.company.local/messaging/*" {
pool SYSTEM_TEST-messaging
}
}
}
The script works fine and behaves as expected when it comes delivering requests to the right service group. The issue is when I do use the script with https connections and a Chrome browser, the browser displays issues with the security of the site. I.e i get the following message when I click on the icon next to the URL in the address bar:
"your connection to secure442.company.local is encrypted using modern cipher suite. Further, this page includes other resources which are not secure."
However, if i remove the aFlex script from the VIP and specifically direct it at the one of the services groups i.e "SYSTEM_TEST-Admin" and connect, Chrome doesn't moan about the SSL connectin and I get a nice green padlock in the address bar next to the URL, even though it is the same URL as before expect that instead of using the aFlex script to direct it to the Service group, I am specifying the group directly in the VIP config.
This only happens in chrome, IE and Mozilla don't moan and show the padlock. So I know it's just an issue between the way Chrome and the aFlex script are interacting.
Any suggestions as to what it could be?
Thanks
Ryan
I am currently using an a script that redirects incoming requests to specific service groups based on the host and uri. This is used for various stages in our software testing and QA cycle, an excerpt of the script can be found below:
# Provides Service Group Selection based on both Host and URI
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host][HTTP::uri]] {
"secure453.company.local/messaging/*" {
pool "rt01 - mesaging"
}
"secure453.company.local/admin/*" {
pool "rt01 - admin"
}
"secure442.company.local/admin/*" {
pool SYSTEM_TEST-Admin
}
"secure442.company.local/messaging/*" {
pool SYSTEM_TEST-messaging
}
}
}
The script works fine and behaves as expected when it comes delivering requests to the right service group. The issue is when I do use the script with https connections and a Chrome browser, the browser displays issues with the security of the site. I.e i get the following message when I click on the icon next to the URL in the address bar:
"your connection to secure442.company.local is encrypted using modern cipher suite. Further, this page includes other resources which are not secure."
However, if i remove the aFlex script from the VIP and specifically direct it at the one of the services groups i.e "SYSTEM_TEST-Admin" and connect, Chrome doesn't moan about the SSL connectin and I get a nice green padlock in the address bar next to the URL, even though it is the same URL as before expect that instead of using the aFlex script to direct it to the Service group, I am specifying the group directly in the VIP config.
This only happens in chrome, IE and Mozilla don't moan and show the padlock. So I know it's just an issue between the way Chrome and the aFlex script are interacting.
Any suggestions as to what it could be?
Thanks
Ryan
0
Comments
So, in front of the line you quote, it most likely does show you a green icon, right?
What else is it showing you?
And what is the certificate information telling you? Are you using a self signed cert?
Btw, what version are you using?
Thanks for the reply. your right it does say more I was just trying to keep the initial message short. I have attached 2 images (png) of the "site information" that pops up in chrome. One showing the information when using the aFlex script, the other when the VIP has been set to use the Service group directly with no script. In both cases the URL accessed is the same, and the service group is the same. In addition the service groups only contain one single server so the backend connection is going to the same real server. In the images I have erased the actual company name in the details.
The certificate is self signed using a self signed CA which is imported into the local certificate store on the local host.
Device version is 2.7.2-P5(build: 151)
Regards
Ryan
Or maybe certain connections do fall back to a less secure communication method.
First I would go to 2.7.2-P6
And then open a case with support.
If you can provide them packet traces of both situations, so they can compare them and see what the difference is.
I will upgrade to 2.7.2-P6 first and see if the issue persists as suggested and then log a support case.
I will keep this Post up to date with findings.
I wonder if SSL Labs would notice differences.
Keep us posted
I upgraded to 2.7.2-P6 and that seems to have resolved the issue. I now get a nice green lock symbol from Chrome whether I am using an aFelx script or direct to a service group.
I double checked that it was the software version causing the issue by rolling back to 2.7.2-P5(build: 151), and sure enough the symptoms re-occurred.
Now sitting on 2.7.2-P6 and all is well.
Thanks for all replies and comments.
Ryan
Recently upgraded to 4.0.1 build 214 and the Issue experienced previously with regards to when using an aFlex script to choose the service group based on URL affects the way Chrome views the security of the page has re-occurred.