Forum Discussion

Jaz_170005's avatar
Jaz_170005
Icon for Nimbostratus rankNimbostratus
Jan 14, 2015

Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature

Hello, I hope that someone has to deal with the same...I have one VS=test.domain, which servers three secure sites (test1.domain,test2.domain,test3.domain).. so I followed those instruction in this article: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

 

by following above article, I configured three clientssl TLS SNI profiles for each site plus the default client ssl TLS SNI profile, as you can see from the article that it assumes that I should offload the cert ( terminate ssl) at F5, however two of the sites has secure pages and it should be servers with https..so I had to take care of that using iRules to overwrite http to https in the response section.....

 

however I am not happy with having the iRule does that for me, I would like to use serverssl profile....to pass the certs to the backend ( never terminate ssl)..it's the same cert for the purpose of simplicity.

 

so I created three serverssl TLS SNI profiles and the default one... and associated the four clientssl profiles and four serverssl profiles.............however did not work!!!!

 

any idea how can I do this using client and server ssl ( using TLS SNI feature) please... I spent the entire day on this, I am exhausted!!!! thank you for your help in advance.

 

4 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jan 14, 2015

    Do you need TLS SNI on the serverside? The bigip is acting as the client here so not sure you do. If you want to re-encrypt the traffic then the default serverssl profile will do that for you. I take it the pool members are listening on 443.

     

    If u wanted to be more granular and only re-encrypt 2 of the sites then you'd need an irule to enable/disable serverssl.

     

    Hope this helps, N

     

  • Jaz_170005's avatar
    Jaz_170005
    Icon for Nimbostratus rankNimbostratus
    Jan 15, 2015

    GM and thank you for answering my question. I turned out that the backend won't allow 443 even tho they have secured pages (responding back to F5 with https) :)...so my only option was to use iRule for that. thank you again

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Jan 15, 2015
      Could you use a stream profile instead to change https to http?
  • Jaz_170005's avatar
    Jaz_170005
    Icon for Nimbostratus rankNimbostratus
    Jan 15, 2015

    yes, that's I had to do: 1- associate Stream profile with VS. 2- associate this iRules with VS.

    when HTTP_RESPONSE {

     Check if response type is text and host isn't null
if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{
     Replace http://$host with https://$host
    STREAM::expression "@http://$host@https://$host@"

     Enable the stream filter for this response only
    STREAM::enable
}
 Rewrite the Location header in redirects to https://
if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]] starts_with "http://$host"} {
    HTTP::header replace Location [string map -nocase "http://$host https://$host" [HTTP::header Location]]
}

    }