Bypass Host

Question

HiI have multiples websites hosted in same virtual server. But these websites are from differents domains; e.g. "corporate.com" and "corp.net""corp.net" use letsencrypt for the certificates, so these changes every 3 months. When I redirect traffic to BigIP virtual server I can access "corporate.com" but "corp.net" shows me SSL certificate warning and aint no able to access it, because it's getting the corporate.com certificate.&nbsp;Both websites use https.I need an iRule to bypass the traffic of corp.net, I tried with:when HTTP_REQUEST {if { [HTTP::host] contains "corp.net"{ASM::disableSSL::disable clientsideSSL::disable serversidepool pool_10.0.1.1}}&nbsp;But it does not work. Any idea?

nikoolayy1 · Answer

Google the ASM::disable and SSL::disable as they can be used at specific F5 events. I still do not know what are you trying to do but for stopping something like SSL decryption based on SNI or CN in the common name it will be really complex and you may look at if it helps:
&nbsp;
https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf

ca_valli · Answer

Hello&nbsp;Jair_CandiaIf I'm interpreting te problem right, you have SSL issue due to SNI mismatch when you access corp.net service.My guess would be, your VS might be missing SSL configuration. I wanted to understand better if you have any restraints in importing corp.net certificate on F5 because this will make configuration easier.&nbsp;For multiple SNI support you can configure a second clientSSL profile with explicit "corp.net" SNI (or wildcard equivalent) and make "corporate.com" clientSSL profile default for all SNI. Of course, if certificate changes every three months you should remember to upload it on F5 every time.&nbsp;If you need F5 to pass-through SSL for corp.net only, configuration is trickier. Easiest way, if possible, is to have different Virtual Servers - one with and one without SSL profiles.If they must coexist on same VS, you need to perform the SSL disable operations ar right time in traffic flow. HTTP_REQUEST event is too late since SSL handshake already happened.&nbsp;I believe your best bet would be CLIENT_ACCEPTED event - this is TCP handshake, but in this case you should write matching conditions based on TCP properties. Or, (I'm not sure about this), you might be able to disable SSL on CLIENTSSL_CLIENTHELLO event and in this case you should be able to match SNI. You should also disable serverSSL on matching serverside event.&nbsp;&nbsp;

Forum Discussion

Bypass Host

2 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

F5 System Scanner - How I deployed it at scale

What configuration issue am I experiencing with this 130-domain VS ?

Ivanti MDM Core & F5 LTM/ASM with mTLS

F5 BIGIP & XC certbot plugin

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS