Forum Discussion
NimbostratusiRule to select different access profile based upon host header?
As the title states, I am looking for an iRule to select a different access profile based upon host header. In our current environment we configure VIPs with a specific access profile using SAML (BigIP as SP). Export the metadata to a passport server and use a SAML header insert iRule to pass the EPPN or whatever along to the web servers. This works fine, but we end up having to burn multiple VIPs for sites on the same server pairs. I am using an iRule for non-SAML sites to direct to different ports on the same server pair based on the host header (i.e. if the url is stage.site.com go to the pool on port 8000, if dev.site.com go to the pool on port 8001, etc) and was wondering if there was a way to do the same thing but select a different access profile as well.
Lee_SutcliffeNacreous
You can only apply one access profile per virtual sever, so you will have to use layered virtual servers.
For example, having one Virtual Server, acting as a broker, then use an iRule to select the virtual server, with the associated access policy based on the required host header
This can be done using a simple switch statement, but does need to have multiple Virtual Servers.
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "www.site1.com" { virtual site1_vs } "www.site2.com" { virtual site2_vs } "www.site3.com" { virtual site3_vs } }
Stanislas_Piro2Cumulonimbus
I agree With layered virtual server...
but routing based on http event requires ssl profile assigned to front virtual server...
APM can require ssl profile assigned to the 2nd virtual server :
- client cert authentication
- multi domain sso
- ...
so to make it work, you can use layered virtual servers based on TLS SNI extension which is same value as HTTP host header in real browser connection
look at this article
https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348