Forum Discussion
helm123_141710
Nimbostratus
Nimbostratusirule with different SSL profiles depending on the pool.
Converting another load balancing device to the F5 and have a question that I just can't seem to find the answer for. I have an HTTPS virtual server that going to load balance different pools based on the matches and some pools use different cert/key pairs (aka profiles). Below is a slight example that I have tried but it always fails on the profile part. There's actually many more matches in the irule that goes to many more pools with other SSL profiles.
when HTTP REQUEST {
switch -glob [HTTP::uri] {
"/external/lifts/docs" -
"/internal/sites" {
pool CompanyA
SSL::enable serverside
SSL::profile CompanyA
}
"/external/boats/docs" -
"/internal/states" {
pool CompanyB
SSL::enable serverside
SSL::profile CompanyB
}
}
}
natheCirrocumulus
Quick thought, do you have a serverssl profile on the VIP? I understand it's a pre-req for serverssl switching.
N
helm123_141710Hi Nathan,
Yep have serverssl profile on the SSL Profile (Server) on the VIP. Transitioning from ACE modules/Appliances and you could assign different SSL profiles under the Load Balance policies and I'm hoping to do about the same thing.
- natheStephen's right. Do you mean the server side connection or the client side? Is it the cert the bigip presents to the client or the server presents to the bigip?
- helm123_141710Hey Nathan, It's the cert the server presents to the bigip but it's actually 2-way ssl. Client connects to the vip one way ssl and then via the irule the bigip sets up a two way ssl connection to the real server.
Hi helm123,
you can create multiple client-ssl profiles containing specific cert/key combinations and assign them all to the same virtual server.If the client supports SNI (server name indication; an extension available with SSL/TLS) the client provides in the hello an attribute containing the expected common name in the server certificate.
This way the virtual server can pick the proper certificate and the client won´t throw an error message due to certificate mismatch.
Thanks, Stephan
- Hi helm123, the typical requirement would be to: - provide the expected certificate to the client during handshake - inspect http-payload (requires established SSL/TLS connection between client and virtual server) - make a forwarding decision (considering persistency) - re-encrypt http-payload before forwarding to selected real server (aka pool member) For SSL/TLS termination between client and virtual server the client-ssl profile(s) is/are relevant. For SSL/TLS communication between load balancer and real server the server-ssl profile(s) is/are relevant. The client-ssl profile(s) contain(s) the server certificate, private key and intermediate CA certificate provided to the client. The server-ssl profile(s) would contain client certificates to be provided to the real server (not required that often). Switching SSL profiles is supported before doing the SSL/TLS handshake, i.e. after the CLIENT_ACCEPTED event is fired (right after 3-way handshake). They cannot be changed, after the SSL/TLS connection was established to send a payload through the encrypted "tunnel". I hope this helps a bit regarding the F5 terminology. :) Thanks, Stephan
- helm123_141710Thanks Stephen, Yep this is actually the SSL (2-way) connection from the F5 to the real servers. Actually have a decent number of pools inside the irule that are going to require different cert/key pairs (server ssl profiles) determined by the customers real servers. Started looking at some of the examples that showed the CLIENT_ACCEPTED setup that Google helped me find. Was able to get this irule configuration accepted when I hit update. when CLIENT_ACCEPTED { if { $doSSL == 1 }{ SSL::enable serverside SSL::profile CompanyA } elseif { $doSSL == 2 }{ SSL::enable serverside SSL::profile CompanyB } } when HTTP REQUEST { switch -glob [HTTP::uri] { "/external/lifts/docs" - "/internal/sites" { set doSSL 1 pool CompanyA } "/external/boats/docs" - "/internal/states" { set doSSL 2 pool CompanyB } } }
- nathe
How about using SERVER_CONNECTED:
When HTTP REQUEST { switch -glob [HTTP::uri] { "/external/lifts/docs" - "/internal/sites" { pool CompanyA } "/external/boats/docs" - "/internal/states" { pool CompanyB } } } when SERVER_CONNECTED { switch [LB::server pool] { CompanyA { SSL::profile CompanyA } CompanyB { SSL::profile CompanyB } } }See if that helps, not in front of my lab box to fully test syntax etc...
N
- nathe
sorry, syntax error:
when HTTP_REQUEST { switch -glob [HTTP::uri] { "/external/lifts/docs" - "/internal/sites" { pool CompanyA } "/external/boats/docs" - "/internal/states" { pool CompanyB } } } when SERVER_CONNECTED { switch [LB::server pool] { CompanyA { SSL::profile CompanyA } CompanyB { SSL::profile CompanyB } } } - helm123_141710
Should have replied back long ago that we got this working with the below.
When HTTP REQUEST { switch -glob [HTTP::uri] {
"/external/lifts/docs" -
"/internal/sites" {
pool CompanyA set doSSL 1 } "/external/boats/docs" -
"/internal/states" { pool CompanyB set doSSL 2 } } } when SERVER_CONNECTED { if { $doSSL == 1 } { SSL::enable serverside SSL::profile SSL_2Way } elseif { $doSSL == 2 } { SSL::enable serverside SSL::profile SSL_1Way }
}- helm123_141710Should have replied back long ago that we got this working with the below. When HTTP REQUEST { switch -glob [HTTP::uri] { "/external/lifts/docs" - "/internal/sites" { pool CompanyA set doSSL 1 } "/external/boats/docs" - "/internal/states" { pool CompanyB set doSSL 2 } } } when SERVER_CONNECTED { if { $doSSL == 1 } { SSL::enable serverside SSL::profile SSL_2Way } elseif { $doSSL == 2 } { SSL::enable serverside SSL::profile SSL_1Way } }
Daniel_Alves_19Hi Guys,
The Irule above is to encrypt the connection that goes to server and the client connection, do you have client ssl profile to decrypt the connection and the Irule to redirect the traffic to different pools, can you show the configuration?
