HTTP HTTPS Proxy redirect question

Question

Hi to everyone,
not really sure of my title neither if this is the right place to post this as I am very new to the F5 community (3 days :) ) and DC and thanks already to all contributors of that site that already helped me out with my LTM implementation.
So far got everything I wanted to for my exchange and View environment but I am left with one issue that I can t figure out or found on this site although I am sure this has already been asked. &nbsp;
To make things simple let's say I have 4 websites and 3 webservers. One internal server hosts 2 HTTP sites (A &amp; B) and the two other servers hosts in DMZ a dedicated HTTPS site (C &amp; D). All sites are accessible from inside and outside.
At the moment Site A and B are sharing the same public ip. There is a NAT on the firewall to a proxy that has to be phased out that passes the traffic to the internal webserver. Site C and D have there own public ip that also has a NAT but straight to their respective server in DMZ.&nbsp;
Is it possible to put all sites on the same public ip, Nat that ip to an external VIP on the F5 and let the F5 box redirect the traffic to the right webserver ? That would help me clear out the mess I have been left with and free up a lot of public ip that I will soon need for other stuff.&nbsp;
Thanks a lot for any help that you can provide&nbsp;
Seb &nbsp;

richard__harlan · Accepted Answer

Yes you can do this you create two virtuals using the same IP address one listening to port 80 and the other listening to port 443. The port 80 traffic will be sent to the server which will use the HTTP host headers to display the correct site just like now.&nbsp;
The problem comes with the HTTPS site you have two server each hosting the same sites? Is so put them in one pool and add both SSL certs to the Virtual using the link below&nbsp;
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html?sr=32430737&nbsp;
The problem you will run into is if the client does not support TLS hostname then the LTM will not know which cert to pass back to the client and will pass back the default cert which in your case has a 50% chance of being the correct cert. Now if most of your clients support this you should not have a problem. &nbsp;

kevin_stewart · Answer

The short answer is yes, but the solutions for HTTP and HTTPS can be slightly different.
Assuming you're going to use standard ports (80 for HTTP and 443 for HTTPS), for HTTP traffic you can do what's commonly called "host-based load balancing", where the load balancer sends traffic to a pool based on the HTTP request URI. Here's an example:
when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "app1.example.com" {
            pool app1_pool
        }
        "app2.example.com" {
            pool app2_pool
        }
    }
}

This is probably the easiest method. You could also use an app-based URI if the host name was the same for both applications (ex. www.example.com/app1 or www.example.com/app2). The real beauty of this approach is that you're putting each application (based on IP and/or port) into its own pool. To add additional resources you can simply add new nodes to the pools and actively load balance and monitor the applications.
The above takes care of port 80 HTTP applications using a single IP address. Doing this for HTTPS is little more complicated in that the SSL negotiation is 1) based on the host name, and 2) happens before the HTTP host name can be evaluated. You can use the same exact iRule above, but you also need to configure the SSL properties of the VIP to accommodate multiple host names. Your options are:

A "Wildcard" certificate applied to the single client SSL profile applied to the VIP - this is a single certificate with a wildcard host name (ex. (.example.com) that would cover any host name that matches this domain pattern. These certificates tend to be expensive.

A "Subject Alternative Name (SAN)" certificate applied to the single client SSL profile applied to the VIP - this is a single certificate with a single subject name, but multiple subject alternative names. Like a wildcard it can support multiple host names, but unlike a wilcard it only supports a specified subset of host names.

Server Name Indicator (SNI) - an extension to TLS 1.0 and above that allows the F5 VIP to switch between multiple single cert client SSL profiles based on the server_name attribute sent by the client in the CLIENTHELLO message of the SSL handshake. This requires TLS so some legacy clients can't use this (ie. WinXP and earlier).

All of these options have the effect of allowing you to negotiate SSL with a single VIP, without error, and then use the host-based iRule above to send traffic to the correct application pool.

seb1180_135325 · Answer

Thanks for your answer. The HTTPS sites are not the same ;) Each HTTPS site as his own server.

richard__harlan · Answer

In that case you use the Host base iRule Kevin posted below and it should work just fine.

seb1180_135325 · Answer

Thanks Kevin &amp; Richard. With all those info I should be able to make it but first I need a coffee and a bit of fresh air ;)&nbsp;
Cheers&nbsp;
Seb &nbsp;

seb1180_135325 · Answer

Feel a bit stupid to ask this but would anyone be so kind to detail me the steps I have to follow on how to achieve this has of course there is no template for dummy and I have tried all I could but doesn t succeed.
Thanks a lot&nbsp;
seb&nbsp;

Forum Discussion

HTTP HTTPS Proxy redirect question

8 Replies

Recent Discussions

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Related Content

https to https redirection

iRule HTTPS to HTTPS redirection

irule redirect question

Simple HTTP::redirect iRule results in a reset

HTTP::redirect doesn't work for multiple conditions, URL redirect doesn't work using iRule