Forum Discussion

Sarah's avatar
Sarah
Icon for Cirrus rankCirrus
Dec 26, 2022

HTTPS passthrough for a single domain name

Hi Everyone,

I have 1x HTTPS virtual server hosting multiple applications/ domain names (e.g. X.com, Y.com, Z.com, etc.) it is configured with SSL Bridging mode (both VS and pool members are 443).

My question is if I want a specific domain name Y.com to be handled as SSL passthrough where certificate is terminated on the backend servers. Meaning if domain name is Y.com the traffic will not be inspected, and HTTP, clientssl, and serverssl profiles must disable in this case.

Not sure if this could be implemented, but any idea would be highly appreciated.

Thank you.

  • SarahThe only way to do this without the F5 decrypting it at all would be using this article most likely where SNI is used. If SNI is not used you will not be able to do what you are asking.

    https://support.f5.com/csp/article/K13452

    The reason you are not able to perform the action that most people are recommending without decrypting is because all the iRule options would be looking at the HTTP header which cannot be inspected until after the SSL connection has been decrypted. If SNI is not an option all the time you would have to create a new virtual server with a unique SSL certificate that encompases all FQDNs in question so that you can seperate out the can inspect and cannot inspect by virtual server. The following link might assist you in the future on what happens where when using an iRule.

    https://packetpushers.net/wp-content/uploads/2013/11/Event_Order_HTTP_v12.png

     

  • Hello,

    Unfortunately, I didn't test this scenario before, but you can check the LTM policies that might meet your requirement.

    You can create a rule that checks the host in the HTTP request, and the action could be disabling the client and server SSL profiles as the below one. But I think you should take into consideration the profiles used by that virtual server.

    Thanks,

    • Sarah's avatar
      Sarah
      Icon for Cirrus rankCirrus

      Thank You Mohammed for your response.

      I am looking for a way to check the domain name before processing the clientssl since the application requires client certificate for authentication. Therefore, I am not sure if the proposed solution will achieve the desired when HTTP Host is used in condition?

      I found this article SNI Routing with BIG-IP explaining what I was trying to achieve, However, I have not tested it yet.

      Thank you again,

      • Hello,

        I think yes, you can use the host condition in the LTM policy to disable the server SSL, because F5 will check the host header after establishing the SSL connection with the client already.

         

         

    • PSFletchTheTek's avatar
      PSFletchTheTek
      Icon for MVP rankMVP

      I'd love to know if you got that working.
      I know the server side config works as i use it myself.

      I'm just not to sure where in the stack the client ssl side kicks in, it might be at a point to late to try to stop it doing the tls offload.

  • Do these servers have the same VIP? 

    F5 should check the http request header for domain information check. 

    Y.com has another VIP if you want to handle it your way. 



    Thank you.

    • Sarah's avatar
      Sarah
      Icon for Cirrus rankCirrus

      Yes, all on the same VIP.

      I'm looking for a way to check the server name in the ssl certificate and take action based on it's value, i'm thinking if it could be done either by iRule or Local Traffic Policy?