Forum Discussion

DCP's avatar
DCP
Icon for Nimbostratus rankNimbostratus
Oct 06, 2014

iRule to Pool supporting SSL with differnt Host name

We have an environment that required users to hit VIP that uses F5 to offload SSL. If users request for /login, we need to rewrite host information and re-encrypt traffic back to pool using certificate specific to that host and not original certificate used in called VIP. Business need requires second host name needs to be hidden. We have tried enabling and disabling SSL:: <> serverside, adding server side certificate profiles to VIP or within iRule. Any changes to using standard redirect to second host name returns page not found.

 

https://server.mycompany.com/pages/index -> (Server-SSL_Client_profile) -> Standard Pool on port 80

 

https://server.mycomapny.com/login/login.html -> Host replace to server2.mycompany.com -? SSL using Server2 certificate -> login_pool on port 443

 

if server2.mycompany.com is in host in responce, needs to be rewritten back to server.mycompany.com

 

Using a redirect to separate VIP and login pool works, but fails to hide server2.mycompany.com host name in Browser.

 

application delivery
design
devops
iRules
LTM

2 Replies

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Oct 06, 2014

    Try the Proxypass lite iRule: https://devcentral.f5.com/wiki/iRules.Proxy-Pass-Lite.ashx

     

    If that is not enough, try the full featured proxypass iRUle: https://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx

     

    FYI, in version 11.4 and above, there are 1) Rewrite Profiles, and 2) Local Traffic Policies which do similar operations. I don't either of them will do what you want in terms of changing both the header and the body or responses.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 07, 2014

    If you're referring to simply adding a server SSL profile for when the request flow has to go to the server2 pool, the easiest method is to apply the server SSL profile to the virtual server configuration and disable it for the regular traffic. You can't use the SSL::enable and SSL::disable commands unless an SSL profile is applied to the VIP. Something like this:

    when CLIENT_ACCEPTED {
    set default_pool [LB::server pool]
}
when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::uri]] {
        "/login/login.html" {
            pool login_pool
            HTTP::header replace Host "server2.mycompany.com"
        }
        default {
            pool default_pool
            SSL::disable serverside
        }
    }
}