Forum Discussion
NimbostratusIrule help
To create a irule to create a client ssl profile and server ssl profile on Virtual server using SNI with a wildcard certificate with SAN.
This virtual server would used for different environmet such as abc1.com,abc2.com,abc3.com
when the client send sends the request to the virtual server, get the servername and assign it to the client profile When Client-ssl hello
forexample abc1.com client-ssl-profile-abc servername abc1.com abc2.com client-ssl-profile-abc servername abc2.com abc3.com client-ssl-profile-abc servername abc3.com
When the request goes to server side
At server ssl profile
abc1.com to replaced to abcsecure1.com
forexample abcsecure1.com server-ssl-profile-abc servername abcsecure1.com abcsecure2.com server-ssl-profile-abc servername abcsecure2.com abcsecure3.com server-ssl-profile-abc servername abcsecure3.com
F5-GeekIs the below irule-going to work
when HTTP_REQUEST {
set hostname HTTP::header replace Host "[class match -value [SSL:extension sni name ] equals "hostgroup"]"} when SERVERSSL_CLIENTHELLO_SEND { set bin [binary format S1S1S1S1ca* 0 [expr [string length $hostname] + 5] [expr [string length $hostname] + 3] 0 [string length $hostname] $hostname] SSL::extensions insert $bin }
datagroup string abc1.com=abcsecure1.com abc2.com=abcsecure1.com
youssef1Cumulonimbus
Hi,
Find below irule you need.
when HTTP_REQUEST { set abc1 0 set abc2 0 set abc3 0 switch -glob [string tolower [HTTP::host]] { " abc1.com" { set abc1 1 HTTP::header replace Host "abcsecure1.com" } " abc2.com" { set abc2 1 HTTP::header replace Host "abcsecure2.com" } " abc3.com" { set abc3 1 HTTP::header replace Host "abcsecure3.com" } default { do nothing } } } when SERVER_CONNECTED { if {$abc1} { SSL::enable serverside SSL::profile server-ssl-profile-abc1 } elseif {$abc2} { SSL::enable serverside SSL::profile server-ssl-profile-abc2 } elseif {$abc3} { SSL::enable serverside SSL::profile server-ssl-profile-abc3 } else { SSL::enable serverside SSL::profile serverssl-insecure-compatible } }As you can noticed I set you a differente ssl server profile depending hostname you entered. is just an example.
You can set the same if wanted.
regards,
Stanislas_Piro2Hi,
This code won’t work
set hostname HTTP::header replace Host "[class match -value [SSL:extension sni name ] equals "hostgroup"]"May be this one
set hostname [HTTP::header replace Host "[class match -value [SSL:extension sni name ] equals "hostgroup"]" ]I’m not sure [SSL:extension sni name ] works in HTTP_REQUEST event. You may catch it in CLIENTSSL_CLIENTHELLO, and change the host header in HTTP_REQUEST
when CLIENTSSL_CLIENTHELLO { set hostname [class match -value [SSL:extension sni name ] equals "hostgroup"] } when HTTP_REQUEST { HTTP::header replace Host $hostname } when SERVERSSL_CLIENTHELLO_SEND { set bin [binary format S1S1S1S1ca* 0 [expr [string length $hostname] + 5] [expr [string length $hostname] + 3] 0 [string length $hostname] $hostname] SSL::extensions insert $bin }