http and https whitelabeling

Hi Barry,

 

I am not exactly sure what you are asking? Are you asking for a guidline on how to have the F5 to offload the certificates.

 

If so then at a high level here are the basic steps

 

1) Create a SSL Certificate and get it signed

 

2) Create a Client SSL Profile making sure you reference the signed SSL Cert

 

3) You then create a pool which contains your server on HTTP

 

4) You then create a VIP on 443 that associates with the Client SSL profile and the HTTP pool you created.

 

 

Of course I am not exactly sure how you website works, but hopefully this can be a guide

 

 

Bhattman

 

no need the client to think he is going to https://www.abc.com but in fact he is going to https://www.xyz.com

 

and not get any certificate errors. I know i wil have to have both certificates on the F5 and that is not a problem.

 

You could use the ProxyPass iRule to do this. You would need the SSL cert/key for the client facing FQDN, but not the internal FQDN. If you need to establish a serverside SSL connection, you would need to configure a server SSL profile on the VIP--but this wouldn't require having the server's SSL cert/key.

 

 

http://devcentral.f5.com/Wiki/default.aspx/iRules.CodeShare ->

 

ProxyPass

 

ProxyPassv10

 

 

Aaron

thanks very much for the quick responce but in the documents it does mention apache but we are using a combonation of apache, IIS, tomcat etc does this functionwork on other web servers as well?

The iRule approximates the function of the Apache ProxyPass, but doesn't work specifically for Apache or any other platform. It should work with any standard HTTP or HTTPS web app.

 

 

Aaron

i got the ProxyPass installed but am having some problems with the datagroup with error message any help would be greatly appreciated.. thanks in advance

 

URI=/: No rule found

 

 

"mail.companyx.com/":="mail.exchange.net/",

 

 

need the client to use url https://mail.companyx.com and the backend use https://mail.exchange.net/ with clientssl enabled.

 

 

 

 

 

Are you running 10.0.x or 10.1.0? Are you using a standard datagroup or an external file-based datagroup?

 

 

Not that it should cause no datagroup match to be found, but do you have a client and serverssl profile added to the VIP if you want both sides encrypted?

 

 

Aaron

I am running BIG-IP 10.0.1 Build 354.0 Hotfix HF2 and am using an external file-based datagroup with read/write rights to the file.

 

 

Cat /config/ProxyPassProxyPassEX2K7-CAS-HTTPS-webmail.exchange.net-FN-to-BN

 

 

"webmail.XXXXweb.com/":="webmail.exchange.net/",

 

 

I have also added both certs.

 

 

Can you try adding spaces before and after the := in the datagroup file:

 

 

"webmail.XXXXweb.com/" := "webmail.exchange.net/",

 

 

Per Joe's suggestion (Click here), you can change the "Access Mode" on the class in the GUI to force a reload of the file contents.

 

 

Aaron