For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swjo_264656's avatar
swjo_264656
Icon for Cirrostratus rankCirrostratus
Sep 26, 2017

Implement selective SSL offload

Hi guys.   My client`s BIGIP have following configuration.   VIP : 211.233.44.50:80fastL4 persist(match across service) mypool:80 VIP : 211.233.44.50:443fastL4 persist(match across service) myp...
application delivery
iRules
LTM
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Sep 26, 2017

You can't add Client-SSL profiles to fastL4 virtuals - they will need to be standard virtuals.

 

You can add multiple Client-SSL certificates to a virtual using SNI to select the appropriate certificate, but you need to have a default Client-SSL certificate for SNI to present when none of the specific SNI names match. You will also need a serverside SSL profile.

 

You could use an iRule that snoops the TCP connection looking for an SNI header, and disables the client-side and server-side ssl profiles for passthrough if they don't match the correct domains, but that is complex, and I think it would be better to go the whole way and just offload everything.