Forum Discussion
NimbostratusHelp with SNI not being passed to pool servers
I think my problem is a missing check box somewhere, but I can't figure out where it is.
I'm running a BigIP, v11.6, in a test environment before we migrate to it in production.
Our requirements are for a fully SSL encrypted connection end to end, and as such I have the BigIP configured to terminate SSL on device, and then re-establish a SSL tunnel to the pool members. I'm using SNAT auto map, I've configured a cookie persistence profile as well as a HTTP profile to insert X-Forwarded-For.
All the above is working fine, until I add SNI into the mix.
Our production environment uses over 20 web sites sharing a single IP using SNI and a combination of wildcard and non-wildcard certificates, all accessible via SNI and host headers. When I migrate my test server to require SNI, the the connection is established to the BigIP, SNI is resolved and the correct certificate is presented to the client, however the pool servers are not being contacted correctly by the BigIP and they are not responding.
I've searched through the forums and I don't really see anything applicable, but I admit I'm new with BigIP and I feel like I'm incorrectly using a term or missing a checkbox somewhere.
Can someone point me in the right direction, or link me to where I should have found the answer before I posted?
Thanks in advance!
38 Replies
oshaughnessy_19I haven't tried this, but just poking around, are you using the SSL Forward Proxy feature in your SSL Profile? Implementing SSL Forward Proxy on a Single BIG-IP System says it supports SNI.
Michael_WaldronI read through that link and I'm not sure it's what we're looking for. It appears that SSL Forward Proxy recreates certificates, and we already have created and assigned certificates for our servers. I ran through the instructions and tried it anyway just to be sure, but it also did not allow the server to answer a request.
Brad_ParkerCirrus
My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.
- Michael_WaldronThis appears to be the right path. I found under Advanced configuration in the SSL Server profile where I could specify a server name, and after doing that the first of my test sites is working. I still have to verify it for multiple sites and multiple domain names, but things are looking up. I'll report back with my final results.
- Brad_ParkerIf it doesn't work with multiple sites you may have to use an iRule for the server SSL profile selection. This could do that assuming you name you server SSL profiles (hostname)_serverSSL and apply a default server SSL profile to the VIP with no SNI configured in it. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } }
- Michael_WaldronOk, this got me a bit closer, but now I'm running into the following: When I attempted to add a 2nd server SSL profile to my virutal server, I was told I needed a default SNI profile. So I created a default profile (a copy of serverssl with the only modification being the default option checked) and after applying that to the virtual server I could not access either test site. I removed the default profile, and selected Test1 as default. I was then able to access the test1 site via the virtual server, but not test2. If I change the profiles to make Test2 the default, I can access it but not Test1. The non-default server returns a 400 - Bad Request Invalid Hostname.
Brad_Parker_139Nacreous
My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.
- Michael_WaldronThis appears to be the right path. I found under Advanced configuration in the SSL Server profile where I could specify a server name, and after doing that the first of my test sites is working. I still have to verify it for multiple sites and multiple domain names, but things are looking up. I'll report back with my final results.
- Brad_Parker_139If it doesn't work with multiple sites you may have to use an iRule for the server SSL profile selection. This could do that assuming you name you server SSL profiles (hostname)_serverSSL and apply a default server SSL profile to the VIP with no SNI configured in it. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } }
- Michael_WaldronOk, this got me a bit closer, but now I'm running into the following: When I attempted to add a 2nd server SSL profile to my virutal server, I was told I needed a default SNI profile. So I created a default profile (a copy of serverssl with the only modification being the default option checked) and after applying that to the virtual server I could not access either test site. I removed the default profile, and selected Test1 as default. I was then able to access the test1 site via the virtual server, but not test2. If I change the profiles to make Test2 the default, I can access it but not Test1. The non-default server returns a 400 - Bad Request Invalid Hostname.
JoeTheFifth_453Hi. I'm reviving this thread hoping to find a definitive answer to the same problem. Is this configuration supported without an iRule? Here is the setup:
- 1 VS => Https pool => 2 servers port 443
- I created a base default sni profile defaultsniclient and a base default sni server profile defaultsniserver
- I created two clients profiles based on the client sni profile with the right certs.
- I created two server profiles based on the server sni profile with the right certs.
profile 1 has sni entry app1.domain.com profile 1 has sni entry app2.domain.com
default sni profile has just defaultsni.domain.com
sni entries are set on both client and server profiles
now when I add the three client profiles (default sni + the other two for app1.domain.com and app2.domain.com) and the three server profiles I cannot connect to the two websites.
If I tests the two profiles separately they work fine.
Insight is welcome ! thanks.
Stanislas_Piro2Cumulonimbus
- JoeTheFifth_453
I'm testing this on 11.5.4.2.0.291
- JoeTheFifth_453
Thanks for the link. Two questions: does this mean that my setup (multiple sni profiles) won't work? i will post the second question on the other thread :-)
JoeTheFifthAltostratus
Hi. I'm reviving this thread hoping to find a definitive answer to the same problem. Is this configuration supported without an iRule? Here is the setup:
- 1 VS => Https pool => 2 servers port 443
- I created a base default sni profile defaultsniclient and a base default sni server profile defaultsniserver
- I created two clients profiles based on the client sni profile with the right certs.
- I created two server profiles based on the server sni profile with the right certs.
profile 1 has sni entry app1.domain.com profile 1 has sni entry app2.domain.com
default sni profile has just defaultsni.domain.com
sni entries are set on both client and server profiles
now when I add the three client profiles (default sni + the other two for app1.domain.com and app2.domain.com) and the three server profiles I cannot connect to the two websites.
If I tests the two profiles separately they work fine.
Insight is welcome ! thanks.
- Stanislas_Piro2
- JoeTheFifth
I'm testing this on 11.5.4.2.0.291
- JoeTheFifth
Thanks for the link. Two questions: does this mean that my setup (multiple sni profiles) won't work? i will post the second question on the other thread :-)
