Forum Discussion

Seb1180_135325's avatar
Seb1180_135325
Icon for Nimbostratus rankNimbostratus
Oct 10, 2013

HTTP HTTPS Proxy redirect question

Hi to everyone, not really sure of my title neither if this is the right place to post this as I am very new to the F5 community (3 days :) ) and DC and thanks already to all contributors of that sit...
application delivery
devops
iRules
  • Richard__Harlan's avatar
    Richard__Harlan
    Oct 10, 2013

    Yes you can do this you create two virtuals using the same IP address one listening to port 80 and the other listening to port 443. The port 80 traffic will be sent to the server which will use the HTTP host headers to display the correct site just like now.

     

    The problem comes with the HTTPS site you have two server each hosting the same sites? Is so put them in one pool and add both SSL certs to the Virtual using the link below

     

    http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html?sr=32430737

     

    The problem you will run into is if the client does not support TLS hostname then the LTM will not know which cert to pass back to the client and will pass back the default cert which in your case has a 50% chance of being the correct cert. Now if most of your clients support this you should not have a problem.

     

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 11, 2013

The admin guides on the support site can go into much greater detail, but essentially you'd do this:

 

  1. Create a pool of web servers for each application
  2. Create the above iRule and modify as required (change host and pool names accordingly)
  3. Create a virtual server and apply the iRule (and potentially one default pool)
  4. Apply an HTTP profile to the VIP config
  5. Apply any other profiles as required (persistence, SNAT, etc.)

That's really about it. For HTTPS traffic you'll create a separate VIP listening on the same IP address and port 443. All other settings can be the same (HTTP profile, default pool, iRule, etc.). You also need a client SSL profile for this VIP to be able to negotiate SSL with the client. If you choose options 1 or 2 above (wildcard or SAN), you'll need to first acquire one of those types of certificates and private keys, apply them to a single client SSL profile, and then apply that profile to the VIP. If you choose option 3 (SNI) - and remember its SSL TLS and F5 v11 requirement - you would create a separate client SSL profile for each single subject certificate, specify a host name in the "server name" block in the profile that matches the subject name in the certificate, and designate one profile as the "default" (a check box in the profile). Apply all of these client SSL profiles to the VIP.