Forum Discussion
NimbostratusContent switching with SSL offloading on a single virtual server address
Hi guys
we are planning to implement content-switching and just using one virtual server ip address. This single ip will represent multiple urls with SSL. This is in order for our client to save ip address. Can a single VS handle multiple SSL Certificates and use iRule to determine which one to use? Basically here is the traffic flow
Sample
1. Client -> www.test1.com/xxx -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test1
2. Client -> www.test1.com/yyy -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test2
3. Client -> www.test2.com/xxx -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test3
4. Client -> www.test2.com/yyy -> vs=1.1.1.1 -> iRule1 (policy to check which SSL cert to bind to the URL) -> iRule2 (policy to check which pool to send depending on the url or url parameter) -> iRule3 (policy to check if the client ip address is allowed to access the pool) -> pool_test4
Client is using Citrix and we wanted to replace it with F5.
Many thanks
21 Replies
jake_macabuag_4Seems like we will encounter a problem. IP Filtering will be done on the POOL level and not on the VS.
1. There is a list of ip address that is allowed to access POOL_A and a different set of address for POOL_B and so on. Not limited to just one data group. Example
Data Group: Allowed_Pool_A = ip address A, B and C ---> Allowed to access OPIS POOL but not RESELLER POOL
Allowed_Pool_B = ip address X, Y and Z ---> Allowed to access RESELLER POOL but not OPIS POOL
If the ip is accepted on the first irule, it has no means to check if it is allowed to access the pool .- nitass
Employee
in that case, you can check client ip address in HTTP_REQUEST event instead of CLIENT_ACCEPTED similar to the irule you wrote. - jake_macabuag_4ok will try both. many thanks
- jake_macabuag_4hi seems everything is working for now. Thanks for that. Is there a need to optimize the rule because it looks like quite slow. I am not sure if it has to do with the nested IFs. What is the purpose of the command RETURN?
Additional requirement :-)
1. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirection - nitassI am not sure if it has to do with the nested IFs.is this article helpful?
Comparing iRule Control Statements by Joe
https://devcentral.f5.com/tech-tips/articles/comparing-irule-control-statements
What is the purpose of the command RETURN? return Wiki
https://devcentral.f5.com/wiki/irules.return.ashx
1. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirectionyou can use HTTP::uri command.
HTTP::uri Wiki
https://devcentral.f5.com/wiki/iRules.HTTP__uri.ashx
e.g.root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.14:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { if { [HTTP::uri] equals "/" } { HTTP::uri "/reseller" } } } [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 443 or port 80 -k /config/ssl/ssl.key/default.key New TCP connection 1: 172.28.19.251(49780) <-> 172.28.20.14(443) 1 1 1358684881.2414 (0.0197) C>S SSLv2 compatible client hello 1 2 1358684881.2414 (0.0000) S>CV3.1(81) Handshake 1 3 1358684881.2414 (0.0000) S>CV3.1(866) Handshake 1 4 1358684881.2414 (0.0000) S>CV3.1(4) Handshake 1 5 1358684881.2436 (0.0021) C>SV3.1(262) Handshake 1 6 1358684881.2436 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 7 1358684881.2436 (0.0000) C>SV3.1(36) Handshake 1 8 1358684881.2524 (0.0087) S>CV3.1(1) ChangeCipherSpec 1 9 1358684881.2524 (0.0000) S>CV3.1(36) Handshake 1 10 1358684881.2534 (0.0009) C>SV3.1(174) application_data --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: www.test.com --------------------------------------------------------------- New TCP connection 2: 200.200.200.13(16983) <-> 200.200.200.101(80) 1358684881.2555 (0.0016) C>S --------------------------------------------------------------- GET /reseller HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: www.test.com --------------------------------------------------------------- - jake_macabuag_41. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirection
when HTTP_REQUEST {
log local0. "in HTTP_REQUEST"
if { [HTTP::uri] equals "/"}{
HTTP::uri "/opis"
}
}
I tried using this but the browser will still show the complete url including the /opis. Is there a way not to show /opis on the browser? only www.test.com.ph
thanks - jake_macabuag_41. Users will just type www.test.com on their browser which will redirect the user to "www.test.com/reseller" BUT the link on the browser will still show www.test.com. User is not aware of redirection
when HTTP_REQUEST {
log local0. "in HTTP_REQUEST"
if { [HTTP::uri] equals "/"}{
HTTP::uri "/reseller"
}
}
I tried using this but the browser will still show the complete url including the /reseller. Is there a way not to show /reseller on the browser? only www.test.com.ph
thanks - jake_macabuag_4OR
the user will type in www.test.com.ph/reseller but the browser will just show www.test.com.ph 
What_Lies_Bene1Cirrostratus
Posted By jake macabuag on 01/21/2013 11:12 PM
OR
the user will type in www.test.com.ph/reseller but the browser will just show www.test.com.phThat isn't possible really, you can't control the browser directly.
Regarding the iRule, it should work just fine but you'll probably find all the links returned by the server don't include what you want shown. That being the case you'll probably need to expand the iRule to accomodate all the possible paths that the server might return or use a Stream profile to rewrite the links in the server responses.
- jake_macabuag_4Thanks steve for your reply. Actually our customer has an existing Citrix netscaler and this is one thing that it does. We are just trying to show that F5 can do more aside from their existing configuration/setup. I'll just try to explore other sample irule and see if I can start from there.
many thanks
