For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mlick2's avatar
mlick2
Icon for Nimbostratus rankNimbostratus
Apr 04, 2014

Allow or Redirect HTTPS traffic based on destination domain

I have the following iRule working for http traffic on a vs allowing only port 80. I need to do the same thing for https traffic but get cert errors on the client. I have tried turning on clientssl and serverssl on the vs with no change to the behavior.

 

The requirement behind this it to restrict web traffic from hosts behind the f5 to defined domains only. If there is a better way, please let me know.

 

when HTTP_REQUEST { switch -glob [HTTP::host] { "microsoft.com" {pool APPDEV-USERVM-TRANSIT} ".msdn.com" {pool APPDEV-USERVM-TRANSIT} "*.windows.com" {pool APPDEV-USERVM-TRANSIT} ".technet.com" {pool APPDEV-USERVM-TRANSIT} ".live.com" {pool APPDEV-USERVM-TRANSIT} default { HTTP::redirect "http://www.abc.com" pool APPDEV-USERVM-TRANSIT

 

} } }

 

application delivery
deployment
devops
iRules
LTM

4 Replies

  • Luke_Lehman's avatar
    Luke_Lehman
    Icon for Employee rankEmployee
    Apr 06, 2014

    To do any Layer 7 behavior changes, you'll need SSL termination on the LTM with a clientssl profile. Let's focus on that as a first step. I'm a little curious though as to what host name is hitting this virtual server as it looks like multiple are coming through. SAN Certs can be used for multiple domains, but there are some restrictions there, too. Is this traffic outbound from your network to the domains you've provided in the example iRule?

     

  • mlick2's avatar
    mlick2
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2014

    Yes, this is outbound traffic from our hosts to external domains which we need to restrict access to. From your suggestion, I am wondering if something like this would work: https://devcentral.f5.com/articles/multiple-certs-one-vip-tls-server-name-indication-via-irules I currently have wildcard clientssl and serverssl certs applied, and if I hit a site not in the list, I get the redirect. However if I go to a site in the list, I get the cert warning but the connection does not complete.

     

  • Luke_Lehman's avatar
    Luke_Lehman
    Icon for Employee rankEmployee
    Apr 07, 2014

    Have you done a tcpdump on both sides of the BIG-IP to see what the behavior looks like? The cert warning makes it seem like it is promising, but we may need to get down to the nitty gritty.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 07, 2014

    Hi Matt,

     

    If you want to decrypt SSL traffic destined for arbitrary FQDNs, and you have a root certificate that all client browsers trust, you can use the SSL forward proxy feature in LTM. It was added in 11.3.0:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html

     

    Aaron