Forum Discussion
Jim_Araujo_1061
Nimbostratus
NimbostratusiRule to choose SSL serverside Profile to use based on HTTP_REQUEST
Hi Folks,
I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example,
If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com
I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use.
here is my code thus far.
when HTTP_REQUEST {
HTTP::header remove "Accept-Encoding"
switch [string tolower [HTTP::host]] {
"abc.example.com" {
Server ssl profile select goes here
pool abc_pool_https
}
"xyz.example.com" {
Server ssl profile select goes here
pool xyz_pool
}
}
Jim_Araujo_1061Figured it out! Had to add a variable in the HTTP_REQUEST and add the event for SERVER_CONNECTED. See code below.
Hi Folks,
I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example,
If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com
I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use.
here is my code thus far.
when HTTP_REQUEST { HTTP::header remove "Accept-Encoding" switch [string tolower [HTTP::host]] { "abc.example.com" { Server ssl profile select goes here pool abc_pool_https } "xyz.example.com" { set doSSL 1 pool xyz_pool } } when SERVER_CONNECTED { if { $doSSL == 1 }{ SSL::enable serverside SSL::profile serverssl-insecure-compatible }. }
Doran_108060can you do the same thing on the client side ?
- nitass
Employee
can you do the same thing on the client side ?
isn't sni usable?
sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication feature
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html
Casy_198704This is older but I wanted to ad my notes/comments because I just ran into this. Hope this helps someone out in the future.
I added a default ssl server profile to my VIP. Then updated my primary irule to initially disable the server side ssl for all sites and then renable it on the website that I needed it on.
when CLIENT_ACCEPTED { SSL::disable serverside } when HTTP_REQUEST { switch [string tolower [HTTP::host]] { site1.website.com { pool site1.website.com_pool } site2.website.com { pool site2.website.com_pool } SSLsite3.website.com { SSL::enable serverside pool SSLsite3.website.com_pool } site4.website.com { pool site4.website.com_pool } default { reject } } }
Stanislas_Piro2Cumulonimbus
Hi,
You can do easier since version 11.5 (feature is available in 11.4 but not working...) with Local traffic policies.
Rule 1:
-
Condition :
- HTTP-host host site1.website.com
-
action :
- forward pool site1.website.com_pool
- serverssl disable
Rule 2:
-
Condition :
- HTTP-host host site2.website.com
-
action :
- forward pool site2.website.com_pool
- serverssl disable
Rule 3 (SSL Site):
-
Condition :
- HTTP-host host site3.website.com
-
action :
- forward pool site3.website.com_pool
-
Condition :
- Jaz_170005
thank you.... this post helped me.