Forum Discussion
barry_7762
Nimbostratus
Nimbostratushttp and https whitelabeling
i work for a webhosting company and we need to do some whitelabeling for both http and https whitelabeling. the http side should be pretty staight forward just re-write but as for the https what would i need to do about the certificates. keeping in mind i would like very much to use the F5 to offload certificates.
- The_BhattmanHi Barry,
I am not exactly sure what you are asking? Are you asking for a guidline on how to have the F5 to offload the certificates.
If so then at a high level here are the basic steps
1) Create a SSL Certificate and get it signed
2) Create a Client SSL Profile making sure you reference the signed SSL Cert
3) You then create a pool which contains your server on HTTP
4) You then create a VIP on 443 that associates with the Client SSL profile and the HTTP pool you created.
Of course I am not exactly sure how you website works, but hopefully this can be a guide
Bhattman 
barry_7762no need the client to think he is going to https://www.abc.com but in fact he is going to https://www.xyz.com
and not get any certificate errors. I know i wil have to have both certificates on the F5 and that is not a problem.
hoolioCirrostratus
You could use the ProxyPass iRule to do this. You would need the SSL cert/key for the client facing FQDN, but not the internal FQDN. If you need to establish a serverside SSL connection, you would need to configure a server SSL profile on the VIP--but this wouldn't require having the server's SSL cert/key.
http://devcentral.f5.com/Wiki/default.aspx/iRules.CodeShare ->
ProxyPass
ProxyPassv10
Aaron- barry_7762thanks very much for the quick responce but in the documents it does mention apache but we are using a combonation of apache, IIS, tomcat etc does this functionwork on other web servers as well?
- hoolioThe iRule approximates the function of the Apache ProxyPass, but doesn't work specifically for Apache or any other platform. It should work with any standard HTTP or HTTPS web app.
Aaron - barry_7762i got the ProxyPass installed but am having some problems with the datagroup with error message any help would be greatly appreciated.. thanks in advance
URI=/: No rule found
"mail.companyx.com/":="mail.exchange.net/",
need the client to use url https://mail.companyx.com and the backend use https://mail.exchange.net/ with clientssl enabled. - hoolioAre you running 10.0.x or 10.1.0? Are you using a standard datagroup or an external file-based datagroup?
Not that it should cause no datagroup match to be found, but do you have a client and serverssl profile added to the VIP if you want both sides encrypted?
Aaron - barry_7762I am running BIG-IP 10.0.1 Build 354.0 Hotfix HF2 and am using an external file-based datagroup with read/write rights to the file.
Cat /config/ProxyPassProxyPassEX2K7-CAS-HTTPS-webmail.exchange.net-FN-to-BN
"webmail.XXXXweb.com/":="webmail.exchange.net/",
I have also added both certs. - hoolioCan you try adding spaces before and after the := in the datagroup file:
"webmail.XXXXweb.com/" := "webmail.exchange.net/",
Per Joe's suggestion (Click here), you can change the "Access Mode" on the class in the GUI to force a reload of the file contents.
Aaron
