Forum Discussion
Brad_Parker
Oct 21, 2015Cirrus
My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.
- Michael_WaldronOct 21, 2015NimbostratusThis appears to be the right path. I found under Advanced configuration in the SSL Server profile where I could specify a server name, and after doing that the first of my test sites is working. I still have to verify it for multiple sites and multiple domain names, but things are looking up. I'll report back with my final results.
- Brad_ParkerOct 21, 2015CirrusIf it doesn't work with multiple sites you may have to use an iRule for the server SSL profile selection. This could do that assuming you name you server SSL profiles (hostname)_serverSSL and apply a default server SSL profile to the VIP with no SNI configured in it. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } }
- Michael_WaldronOct 21, 2015NimbostratusOk, this got me a bit closer, but now I'm running into the following: When I attempted to add a 2nd server SSL profile to my virutal server, I was told I needed a default SNI profile. So I created a default profile (a copy of serverssl with the only modification being the default option checked) and after applying that to the virtual server I could not access either test site. I removed the default profile, and selected Test1 as default. I was then able to access the test1 site via the virtual server, but not test2. If I change the profiles to make Test2 the default, I can access it but not Test1. The non-default server returns a 400 - Bad Request Invalid Hostname.
- Brad_ParkerOct 21, 2015Cirrussounds like you will have to use an iRule for the server SSL profile selection like I mentioned above.
- Michael_WaldronOct 21, 2015NimbostratusYep, I hadn't seen your post when I made mine. I'm going to look into the iRule tomorrow. I've not done anything with them before so much like the rest of this deployment, this will be a learning experience.
- Michael_WaldronOct 22, 2015NimbostratusWhen I attempt to add the above iRule I'm given the following error: error: /Common/ssl_sni_forward:5: error: [command is not valid in current event context (SERVER_CONNECTED)][HTTP::host] Any ideas?
- Brad_ParkerOct 22, 2015CirrusWell that's dumb that its not available in server connected. This should work and do the same thing. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::header "HOST"] ":" 1]]_serverSSL" } }
- Michael_WaldronOct 22, 2015NimbostratusWhen I apply the iRule it requires that I use the fasthttp profile, which doesn't appear to allow HTTPS connections.
- Brad_ParkerOct 22, 2015Cirrusit should not require a fasthttp, it will require an HTTP profile which is allowed with a clientssl profile.
- Michael_WaldronOct 22, 2015Nimbostratus01070394:3: HTTP::header in rule (/Common/ssl_sni_forward) requires an associated FASTHTTP profile on the virtual server (/Common/Test-IIS-HTTPS).