Forum Discussion
Maria_Ramirez_5
Nimbostratus
NimbostratusHOW TO ASSOCIATE TWO SSL PROFILES TO A VIRTUAL SERVER
Hello,
I am María Ramírez, Presales Security Engineer of a reseller company called DIMENSION DATA.
I have a client who has a virtual server which has associated a ssl profile. This profile contains a ssl certificate for a domain (*.ahorro.com).
Now, they want to create another domain, (the servers for this domain are the same as the server used for the first one). The new domain is *.test.com and my client wants to know if:
IT IS POSSIBLE TO ASSOCIATE TWO SSL PROFILES TO THE SAME VIRTUAL SERVER; I MEAN: THE SAME VIRTUAL IP ADDRESS SHOULD MAKE THE SSL TERMINATION FOR *.ahorro.com and *.test.com
BY MEANS OF THE WEB GUI, IT IS NOT POSSIBLE TO CONFIGURE THIS, BUT PERHAPS, WITH IRULES, IT IS POSSIBLE ?????
DO YOU HAVE HAD ANY CASE SIMILAR TO THIS?
THANK YOU IN ADVANCE.
I WAIT FOR YOUR ANSWER.
Regards,
María
kykong_107132Hi Maria,
you can use irule to bind a single virtual with 2 ssl profile using SSL::profile command. Below is one of the example, happy trying.
when HTTP_REQUEST {
if { [HTTP::host] contains "ahorron.com" } {
SSL::profile ahorron_profile
}
elseif { [HTTP::host ] contains "test.com"} {
SSL::profile test_profile
}
}
regards,
Dave_WileyMaria:
If the traffic comes in on port 80 first, you could issue an HTTPS redirect to two different VIPS based on the URL domain.
I don't beleive a single VIP can be used to accomodate SSL offloading for two different certificates. The packets are encrypted with only the TCP header available for inspection until the data is unencrypted by using an SSL profile. At that point, it's two late to switch SSL profiles as one has already been applied.
Dave
Maria_Ramirez_5Thank you very much for your answers.
I understand your explanation. I will try to create a vs on port 80 and then try to make a switch (depending on the SSL CERTIFICATE), in order to use a virtual server (with *.ahorro.com ssl profile) or the other virtual server (with *.test.com certificate).
Regards- Maria_Ramirez_5Thanks!!
I will try with this iRule. If this works, it could be great, because it is easy to implement!! I will inform you with the results.
Thanks again and regards,
María 
Jerome_O_Neil_4Posted By kky on 2/04/2007 6:00 AM
Hi Maria,
you can use irule to bind a single virtual with 2 ssl profile using SSL::profile command. Below is one of the example, happy trying.
when HTTP_REQUEST {
if { [HTTP::host] contains "ahorron.com" } {
SSL::profile ahorron_profile
}
elseif { [HTTP::host ] contains "test.com"} {
SSL::profile test_profile
}
}
regards,
This won't work. SSL::profile isn't available in an HTTP_REQUEST context. By the time you get to the completed HTTP_REQUEST, the profile has already been selected.
SSL::profile is available in CONNECTION_ACCEPTED and other contexts, but the HTTP::* stuff isn't. It's a bit of a chicken and egg problem.
You need the hostname to help select the profile, but you can't select the profile after you get the hostname.
I'm working on this exact same issue right now. I don't know that it's solvable via the current iRule implementation, but I would think this is a common enough issue for F5 to address.
We run a lot of websites off of one VIP, using name based configurations. We can't provide true SSL for those websites until this is resolved.