For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bigipjr28_13978's avatar
bigipjr28_13978
Icon for Nimbostratus rankNimbostratus
Sep 04, 2014

irule for multiple webservers

Hello,   I was wondering if there was such an irule or another solution out there that would send traffic coming in from an external ip and then directing them the appropriate pool. The pool cont...
cnames
irule
irule logic
redirct
web servers
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 10, 2014

the application does use an ssl cert..how would I go about creating an irule then? how would I decrypt it? also the fqdn in the above snippet is that the virtual name of the VS?

 

So just to level set, I'm still assuming that you want all of the websites to flow through a single VIP, a "super VIP" if you will. If that's the case, then you have two things to deal with:

 

  1. The requested host name - this is what the iRule above is looking at. The FQDN in the iRule is the HTTP Host header coming from the client - the host name that the client is trying to access. The above iRule sends traffic to different pools based on this Host header.

     

  2. SSL offload - to even be able to use the above iRule, you must terminate the client side SSL at the F5 with a client SSL profile. But because you have multiple hosts coming to a single VIP, because most server certificates are bound to only one subject (server) name, and asking for a service by another name would generate a certificate error in the client's browser, there are some options that you'd need to explore. You could opt to use a wildcard (ie. *.domain.com) cert in the client SSL profile. It's generally an expensive option, but then covers any host name under a given domain. You could opt for a "Subject Alt Name" (SAN) certificate in the client SSL profile. This is a bit less expensive usually and only contains a small list of subject names. Or you could opt for the "Server Name Indicator" (SNI) route. This relies on an extension to the TLS protocol, whereby the client sends the server name in its initial CLIENTHELLO message to start the TLS session. You can create a separate client SSL profile for each single-subject certificate, specify the server name (should be the same as the subject of the cert), and then apply all of these client SSL profiles to the VIP. The SNI process will choose the correct profile based on the user's request. It's by far the cheapest option, but requires all of your clients to support and use TLS (vs. SSLv3).

     

if a vip already has an irule associated it include multiple irules..so basically can vip have more then one irule assoociated w/it?

 

Absolutely. You want to take care that multiple iRules applied to a VIP don't provide contradicting information or commands, but otherwise you can definitely apply multiple iRules to a VIP.