Forum Discussion
werner_verheyle
Altocumulus
AltocumulusF5 DNS external monitor
Hi , we are using an F5 DNS (v12.1.2) . We are now getting request for doing a DNS loadbalalancing for 2 IP's in seperate datacenters. (openshift setups) Both IP's are accessible via http...
werner_verheyleAltocumulus
Altocumulusyes , but the platform is openshift an works based on https with TLS SNI . I don't know all te internals but it's accepted on what they call "router" but there is no SSL done there , so they are also forwarding to application .So when we introduce the hostname in http header , it's not accepted and we get an http error rather than the expected 200 ok.
Using curl & working with the FQDN works fine . But i don't see possibility to define a node based on FQDN in F5 DNS .
Yoann_Le_Corvi1Cumulonimbus
Hi,
First, try to run your CURL test with -vv option to get a full debug of all what Curl sends to the backend to get a 200. Then you can try building a monitor with this info.
I don't quite understand why a CURL with FQDN would work, and not a monitor with Host header, as this is normally the same. It may also be another header (User-Agent, Accept, Content-Type....)
Sincerely
cjuniorNacreous
Hi Yoann,
Far as I know, SSL with TLS/SNI isn't possible on the built-in HTTPS monitors, at least on BIGIP version 12.x.
The monitor headers is in OSI Layer 7 and the SNI (server name indication) occurs on Client Hello event during SSL handshake, soon after L4 TCP handshake.
The curl command applies the SNI during the SSL handshake, like as the openssl with parameter "-servername" does.
Please, correct me if am I wrong.
Respectfully
- Yoann_Le_Corvi1
Hi,
Indeed. So in that case (i.e. if SNI extension is made mandatory by the backend, but to make sure I would still do the test with curl, and try to reproduce headers) he may have no choice but to use external monitors or upgrade to get the possibility to use a specific SSL server profile for the monitor (not sure if it came out with 13 or 14)
Yoann