Forum Discussion
Chakravarthi_P1
Nimbostratus
NimbostratusHTTPS passthrough with HTTP:Host validation
Hi,
I am trying to setup a HTTPS passthrough where SSL certs would be configured on Servers..
DNS :
test.mydomain.com --- 59.40.33.11
web.mydomain.com -- 59.40.33.11
dev.mydomain.com -- 59.40.33.11
Virtual Server
59.40.33.11
Nodes:
10.33.84.21 (test web server)
10.33.84.42 (production web server)
10.33.84.52 (dev web server)
Now, based on fqdn, i want to divert the traffic. I am able to achieve this with HTTP by sing swith option
But not able to do with HTTPS as I am not able to use HTTP / fasthttp with SSL passthrough
Can someone help me here ?
Regards
Chakri
3 Replies
hoolioCirrostratus
Hi Chakri,
In order to inspect the HTTP host header value for all browsers, you'd need to decrypt the SSL and parse the HTTP headers.
If you have a controlled population of users and guarantee they use more current browsers, you could potentially do this by reading the TLS server name indicator from the SSL handshake:
http://en.wikipedia.org/wiki/Server_Name_Indication
Here's an example from Joel Moses showing how you can parse the TLS SNI value:
https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx
Aaron
Chakravarthi_P1Hi Aaron,
Thank you for quick response and reference links..
Users may attempt from various versions of browsers.. So TLS server name may not be suitable...
To decrypt the SSL, can I have multiple SSL certs (for three different URLs) on same Virtual server ?
Regards
Chakri
dlg_23340Cirrus
No, you can only have one clientssl profile per VIP. But there are alternatives. In this thread: https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2163786/showtab/groupforums/Default.aspx
nathan suggests using a wildcard SSL cert, and I suggest using SANs on a certificate to cover the names you'd like to use.
