Forum Discussion

Cirrostratus

Sep 25, 2017

Implement selective SSL offload

Hi guys. My client`s BIGIP have following configuration. VIP : 211.233.44.50:80fastL4 persist(match across service) mypool:80 VIP : 211.233.44.50:443fastL4 persist(match across service) myp...

Employee

Sep 25, 2017

You can't add Client-SSL profiles to fastL4 virtuals - they will need to be standard virtuals.

You can add multiple Client-SSL certificates to a virtual using SNI to select the appropriate certificate, but you need to have a default Client-SSL certificate for SNI to present when none of the specific SNI names match. You will also need a serverside SSL profile.

You could use an iRule that snoops the TCP connection looking for an SNI header, and disables the client-side and server-side ssl profiles for passthrough if they don't match the correct domains, but that is complex, and I think it would be better to go the whole way and just offload everything.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)