Forum Discussion

Matjaz_Lenarcic's avatar
Matjaz_Lenarcic
Icon for Nimbostratus rankNimbostratus
Mar 06, 2024

Change SSL profile based on URI

Hi all,

 

I have a big problem with my configuration. I have one VirtualServer with SSL Client profile and two backend server on two different pool with two different SSL server profile. 

I have domain name with URI1 www.example.net/app1 and domain name with URI2 www.example.net/app2. When someone access URI1 they redirect to pool1/backendserver1 and SSL Server Profile1.

When someone access URI2 they redirect to pool2/backendserver2 with SSL Server Profile2

 

Is possible to create iRule for balance between backend servers and don't have problem with certificate handshake?

4 Replies

  • Forget to tell if in the SSL server profile is added certificate for URI1, URI1 works and URI2 have handshake error, same if change certificate. I try using SNI but always the same problem. 

  • Matjaz_Lenarcic The following should work but you will most likely have to have a OneConnect profile associated to the Virtual Server in question with a /32 netmask for it to balance you to either path after one has been matched.

    when CLIENT_ACCEPTED priority 500 {
    
        set DEFAULT_POOL [LB::server pool]
    
    }
    
    when HTTP_REQUEST priority 500 {
    
        set PATH [string tolower [HTTP::path]]
    
        if { ${PATH} == "/app1"} {
            pool POOL-pool1
            SSL::profile SERVERSSL_profile1
        } elseif { ${PATH} == "/app2"} {
            pool POOL-pool2
            SSL::profile SERVERSSL_profil2
        } else {
            pool $DEFAULT_POOL
        }
    
    }

    Personally I don't see any reason to have two different SSL Server Profiles unless you are performing an exact match to the server side SSL key and cert and instead I would use a generic SSL Server Profile and let the F5 act just like any other SSL client would when connecting to a site. If you configured what I mentioned then you only have to decide which pool to balance to rather than pool and specific SSL Server Profile.

    • Matjaz_Lenarcic's avatar
      Matjaz_Lenarcic
      Icon for Nimbostratus rankNimbostratus

      Thank for the response, I know the solution with generic serverssl profile, but using  generic serverssl I received secure connection failed and dont know why?

      • zamroni777's avatar
        zamroni777
        Icon for Cumulonimbus rankCumulonimbus

        what are the differences between the 2 ssl server profiles?
        if they are just cipher list, then can use single ssl profile with cipher matching both pools.

        usually the ssl setup errors can be seen in tcpdump.