Forum Discussion

El_Jefe's avatar
Icon for Nimbostratus rankNimbostratus
Jul 11, 2011

Append FQDN to https request




I am sure this has been asked many times, but I could not find it in search. We use our F5s here internally, and the users can get to the websites using an internal hostname - like https://server1 When it appears like this in the browser, the SSL cert is actually for, and so, the browser complains about the SSL cert. Is there any way to automatically append the to the request?








9 Replies

  • Hi Jeff,

    If the first request is for https://server1 then the error occurs before LTM decrypts the SSL and could modify the HTTP headers. If the clients make an HTTP request first to http://server1, then you could redirect their HTTP request to HTTPS with the fully qualified domain name:

    when HTTP_REQUEST {

  • Colin_Walker_12's avatar
    Historic F5 Account
    As Aaron mentioned, there's a bit of a chicken vs. egg issue that many users end up facing when dealing with manipulating SSL traffic. The traffic must be decrypted on the LTM before any manipulation can be performed. The problem is, as in this case, if the user is requesting a name not represented on the certificate, they're going to get the initial mismatch error on the first handshake with the LTM, even if you're decrypting SSL on the LTM. At that point, now that the traffic is decrypted, you can certainly manipulate the traffic at will, but it's too late to stop them from seeing the initial SSL mismatch error.



  • The short answer is No.



    The client browser would be expecting a response matching the request "server1". The BIG-IP would respond with the SSL Certificate that is tied to that Virtual Server "".



    The BIG-IP cannot analyze, modify, or change the SSL Profile being used on the Virtual Server with an iRule until after the traffic decryption (which is after the handshake that causes the SSL Certificate Mismatch Error).
  • LOL.....Nah....what you and Hoolio said.



    We all jumped on this one.



    I was typing my reply while you guys were posting yours.



    Oops! :-)
  • Colin_Walker_12's avatar
    Historic F5 Account
    I'll take more coverage over less any day. I love this dang community. :)



  • If you are involved with the issuing of the certificates, check out the use of Subject Alternative Names for your SSL certificate. Here is a quick explanation ->
  • Yea....that is a good point Ryan.



    Some multi-SAN's cost the same as a Standard (the ones I use are 2 SAN Certificates called "Advantage Certificates". I have also heard them referred to as "Multi-Domain" Certificates).



    The larger ones are Unified Communication Certificates (UCC) and normally used in newer (2007 and newer) Exchange Environments, and can have 10 or more SAN's.