Forum Discussion

Matjaz_Lenarcic's avatar
Matjaz_Lenarcic
Icon for Nimbostratus rankNimbostratus
Mar 06, 2024

Change SSL profile based on URI

Hi all,

 

I have a big problem with my configuration. I have one VirtualServer with SSL Client profile and two backend server on two different pool with two different SSL server profile. 

I have domain name with URI1 www.example.net/app1 and domain name with URI2 www.example.net/app2. When someone access URI1 they redirect to pool1/backendserver1 and SSL Server Profile1.

When someone access URI2 they redirect to pool2/backendserver2 with SSL Server Profile2

 

Is possible to create iRule for balance between backend servers and don't have problem with certificate handshake?

application delivery
  • Matjaz_Lenarcic's avatar
    Matjaz_Lenarcic
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2024

    Forget to tell if in the SSL server profile is added certificate for URI1, URI1 works and URI2 have handshake error, same if change certificate. I try using SNI but always the same problem. 

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Mar 06, 2024

    Matjaz_Lenarcic The following should work but you will most likely have to have a OneConnect profile associated to the Virtual Server in question with a /32 netmask for it to balance you to either path after one has been matched.

    when CLIENT_ACCEPTED priority 500 {

    set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 500 {

    set PATH [string tolower [HTTP::path]]

    if { ${PATH} == "/app1"} {
        pool POOL-pool1
        SSL::profile SERVERSSL_profile1
    } elseif { ${PATH} == "/app2"} {
        pool POOL-pool2
        SSL::profile SERVERSSL_profil2
    } else {
        pool $DEFAULT_POOL
    }

}

    Personally I don't see any reason to have two different SSL Server Profiles unless you are performing an exact match to the server side SSL key and cert and instead I would use a generic SSL Server Profile and let the F5 act just like any other SSL client would when connecting to a site. If you configured what I mentioned then you only have to decide which pool to balance to rather than pool and specific SSL Server Profile.

    • Matjaz_Lenarcic's avatar
      Matjaz_Lenarcic
      Icon for Nimbostratus rankNimbostratus
      Mar 06, 2024

      Thank for the response, I know the solution with generic serverssl profile, but using  generic serverssl I received secure connection failed and dont know why?

      • zamroni777's avatar
        zamroni777
        Icon for Nacreous rankNacreous
        Mar 06, 2024

        what are the differences between the 2 ssl server profiles?
        if they are just cipher list, then can use single ssl profile with cipher matching both pools.

        usually the ssl setup errors can be seen in tcpdump.