Forum Discussion
jake_macabuag_4
Nimbostratus
NimbostratusContent switching with SSL offloading on a single virtual server address
Hi guys
we are planning to implement content-switching and just using one virtual server ip address. This single ip will represent multiple urls with SSL. This is in order for our client to save ip address. Can a single VS handle multiple SSL Certificates and use iRule to determine which one to use? Basically here is the traffic flow
Sample
1. Client -> www.test1.com/xxx -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test1
2. Client -> www.test1.com/yyy -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test2
3. Client -> www.test2.com/xxx -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test3
4. Client -> www.test2.com/yyy -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test4
Client is using Citrix and we wanted to replace it with F5.
Many thanks
21 Replies
- nitass
Employee
Can a single VS handle multiple SSL Certificates and use iRule to determine which one to use?is sni feature usable?
sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication (SNI) feature
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html 
jake_macabuag_4thanks nitass. I will read the doc and see from there.- jake_macabuag_4Hello! Additional requirement
can you help me how can I include an ip filter that only allows certain ip addresses to access the pool? Should I use matchlass? how to include it in the irule?
Many thanks - nitasscan you help me how can I include an ip filter that only allows certain ip addresses to access the pool? Should I use matchlass? how to include it in the irule? you should use "class" command.
e.g.root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.14:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { if { not [class match -- [IP::client_addr] equals allow_ip_class] } { log local0. "[IP::client_addr]:[TCP::client_port] is rejected" reject } else { log local0. "[IP::client_addr]:[TCP::client_port] is accepted" } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class ltm data-group internal allow_ip_class { records { 192.168.206.33/32 { } } type ip } [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm Jan 14 14:24:29 ve11a info tmm[11170]: Rule /Common/myrule : 172.28.19.251:48999 is rejected Jan 14 14:24:36 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:54606 is accepted - jake_macabuag_4Hi Nitass, Thanks for the quick reply. But how can I incorporate that with my previous HTTP iRUle? Basically, after doing a content switching, it will check if the client ip is allowed to access the pool before forewarding it. Else, it will be rejected.
is it possible to do nested IFs? Thanks for the support. just a newbie in iRules. - jake_macabuag_4when HTTP_REQUEST {
case insensitive
if { [string tolower [HTTP::uri]] contains "opis" } {
pool OPIS_POOL
} elseif {[string tolower [HTTP::uri]] contains "reseller" } {
pool RESELLER_POOL
} else {
pool RESELLER_POOL
}
} - jake_macabuag_4can you check if this will work???
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "opis" } {
if { [class match [IP::client_addr] equals allowed_ip_1] } {
pool OPIS_POOL }
} elseif {[string tolower [HTTP::uri]] contains "reseller" } {
if { [class match [IP::client_addr] equals allowed_ip_2] } {
pool RESELLER_POOL }
}
} - nitassBut how can I incorporate that with my previous HTTP iRUle? Basically, after doing a content switching, it will check if the client ip is allowed to access the pool before forewarding it. Else, it will be rejected. CLIENT_ACCEPTED event is triggered before HTTP_REQUEST event. so, we can reject client ip address in CLIENT_ACCEPTED and select pool based on url in HTTP_REQUEST.
iRules Insight - HTTP Event Order by Jason
https://devcentral.f5.com/blogs/us/irules-insight-http-event-order
e.g.root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.14:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl { context clientside } http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { log local0. "-" if { not [class match -- [IP::client_addr] equals allow_ip_class] } { log local0. "[IP::client_addr]:[TCP::client_port] is rejected" reject } else { log local0. "[IP::client_addr]:[TCP::client_port] is accepted" } } when HTTP_REQUEST { log local0. "-" case insensitive set uri [string tolower [HTTP::uri]] switch -glob $uri { "*opis*" { pool OPIS_POOL } "*reseller*" { pool RESELLER_POOL } default { pool RESELLER_POOL } } } when SERVER_CONNECTED { log local0. "-" log local0. "client [IP::client_addr]:[TCP::client_port] | uri $uri | pool [LB::server pool] | pool member [LB::server addr]:[LB::server port]" } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class ltm data-group internal allow_ip_class { records { 192.168.206.33/32 { } } type ip } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool OPIS_POOL ltm pool OPIS_POOL { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool RESELLER_POOL ltm pool RESELLER_POOL { members { 200.200.200.111:80 { address 200.200.200.111 } } } [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : 172.28.19.251:49004 is rejected Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55244 is accepted Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55244 | uri /opis/something | pool /Common/OPIS_POOL | pool member 200.200.200.101:80 Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55246 is accepted Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55246 | uri /reseller/something | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80 Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : - Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : 192.168.206.33:55247 is accepted Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : - Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : - Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : client 192.168.206.33:55247 | uri /somethingelse | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80 - jake_macabuag_4Many thanks!!!!
- jake_macabuag_4Thanks for the explanation and the sample irule. ill check on this and will try in lab.
Many thanks!!!!
