Forum Discussion

Chakravarthi_P1's avatar
Chakravarthi_P1
Icon for Nimbostratus rankNimbostratus
Aug 01, 2012

HTTPS passthrough with HTTP:Host validation

Hi,

 

 

I am trying to setup a HTTPS passthrough where SSL certs would be configured on Servers..

 

 

DNS :

 

test.mydomain.com --- 59.40.33.11

 

web.mydomain.com -- 59.40.33.11

 

dev.mydomain.com -- 59.40.33.11

 

 

Virtual Server

 

59.40.33.11

 

 

Nodes:

 

10.33.84.21 (test web server)

 

10.33.84.42 (production web server)

 

10.33.84.52 (dev web server)

 

 

Now, based on fqdn, i want to divert the traffic. I am able to achieve this with HTTP by sing swith option

 

 

But not able to do with HTTPS as I am not able to use HTTP / fasthttp with SSL passthrough

 

 

Can someone help me here ?

 

 

Regards

 

Chakri

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 01, 2012
    Hi Chakri,

     

     

    In order to inspect the HTTP host header value for all browsers, you'd need to decrypt the SSL and parse the HTTP headers.

     

     

    If you have a controlled population of users and guarantee they use more current browsers, you could potentially do this by reading the TLS server name indicator from the SSL handshake:

     

     

    http://en.wikipedia.org/wiki/Server_Name_Indication

     

     

    Here's an example from Joel Moses showing how you can parse the TLS SNI value:

     

    https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx

     

     

    Aaron
  • Chakravarthi_P1's avatar
    Chakravarthi_P1
    Icon for Nimbostratus rankNimbostratus
    Aug 01, 2012
    Hi Aaron,

     

     

    Thank you for quick response and reference links..

     

     

    Users may attempt from various versions of browsers.. So TLS server name may not be suitable...

     

     

    To decrypt the SSL, can I have multiple SSL certs (for three different URLs) on same Virtual server ?

     

     

    Regards

     

    Chakri
  • dlg_23340's avatar
    dlg_23340
    Icon for Cirrus rankCirrus
    Aug 02, 2012
    No, you can only have one clientssl profile per VIP. But there are alternatives. In this thread: https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2163786/showtab/groupforums/Default.aspx

     

    nathan suggests using a wildcard SSL cert, and I suggest using SANs on a certificate to cover the names you'd like to use.