Forum Discussion

Brad_146558's avatar
Brad_146558
Icon for Nimbostratus rankNimbostratus
Apr 01, 2014

HTTP_REQUEST switch Question.

So I'm looking at consolidating IP addresses with an iRule. The iRule works great, but one of the follow-up questions I got from other people in the department is can you do SSL with that iRule, I drew a blank because since there isn't a vs associated with each website I didn't know how to terminate SSL on the F5. So below is the general structure of the iRule we are using.

 

when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "example1.com" { pool example1_pool } "example2.com" { pool example2_pool } "example3.com" { pool example3_pool } default { pool pool_webservers} } }

 

What I was wondering is if instead of using pools, that I could instead send traffic to a virtual server? That would allow for me to do different things with SSL, caching and compression on a per website basis.

 

  • Two things. Yes, you can absolutly use "virtual " rather than "pool " if you have a virtual that is set up to do what you want.

     

    That said, you have to terminate SSL in order to see the HTTP::host value. Are you talking about treating the back end differently? Server Side SSL? Server side SSL and Oneconnect, NTLM profiles and iRules are all really good reasons to use Virtuals like this.

     

    As for terminating SSL for multiple Hosts on the same VIP, the simple answer is to build your SSL cert with Subject Alt Names. That way the same cert will be good for a number of different Hosts.

     

  • when HTTP_REQUEST {
    
    switch -glob [string tolower [HTTP::host]] {
    
     "example1.com" { pool example1_pool }
    
     "example2.com" { pool example2_pool }
    
     "example3.com" { pool example3_pool }
    
     default { pool pool_webservers}
    
    }
    
    }
    
    Hopefully this format pastes a little better.
    
  • Two things. Yes, you can absolutly use "virtual " rather than "pool " if you have a virtual that is set up to do what you want.

     

    That said, you have to terminate SSL in order to see the HTTP::host value. Are you talking about treating the back end differently? Server Side SSL? Server side SSL and Oneconnect, NTLM profiles and iRules are all really good reasons to use Virtuals like this.

     

    As for terminating SSL for multiple Hosts on the same VIP, the simple answer is to build your SSL cert with Subject Alt Names. That way the same cert will be good for a number of different Hosts.