Forum Discussion

Mischa_62144's avatar
Mischa_62144
Icon for Nimbostratus rankNimbostratus
Nov 16, 2018

Multiple HTTPS sites on a single IP

I'm trying to host multiple HTTPS sites with different HTTP backends on a single IP address, following https://support.f5.com/csp/article/K13452 as much as possible.

 

Version: BIG-IP 13.1.1 Build 0.0.4 Final

 

I have imported my wildcard certificate and have configured the following:

 

Client SSL profiles

domain.com:

 

  • No "Server Name"
  • "Default SSL Profile for SNI" checked

sub1.domain.com:

 

  • Parent: "domain.com"
  • Server Name: "sub1.domain.com"
  • "Default SSL Profile for SNI" NOT checked

sub2.domain.com

 

  • Parent: "domain.com"
  • Server Name: "sub2.domain.com"
  • "Default SSL Profile for SNI" NOT checked
Virtual Servers

sub1

 

  • Destination 10.0.0.1
  • Service port: 443 HTTPS
  • HTTP profile: http
  • SSL Profile (Client): domain.com + sub1.domain.com
  • Source Address Translation: Auto Map

sub2

 

  • Destination 10.0.0.2
  • Service port: 443 HTTPS
  • HTTP profile: http
  • SSL Profile (Client): domain.com + sub2.domain.com
  • Source Address Translation: Auto Map

But as mentioned I only have a single IP address, but when I change the destination on VS for sub2 to "10.0.0.1" I'm presented with this error: 01070333:3: Virtual Server /Common/sub2 illegally shares destination address, source address, service port, ip-protocol, and vlan with Virtual Server /Common/sub1

 

I was under the impression that because I'm using multiple SSL profiles with specific Server Names it should be possible to host this on a single IP.

 

  • You can only have one IP:Port combination for a Virtual Server since the traffic wouldn't know which one to go to. You need to put all the SSL profiles on one Virtual Server.

     

  • You said "traffic wouldn't know which one to go to", but isn't that where SNI comes into play?

     

    There's even an article saying that Prior to the introduction of SNI, the client could not establish secure connections to multiple virtual servers hosted on a single IP address. To me that sounds like with SNI support multiple virtual servers hosted on a single IP address has been made possible...

     

    Source https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

  • You have two Virtual Servers based on this error message:

     

    Virtual Server /Common/sub2 illegally shares destination address, source address, service port, ip-protocol, and vlan with Virtual Server /Common/sub1

     

    The error message says that your trying to use the same IP address and port for both Virtual Servers. How would traffic know to go to Virtual Server A over Virtual Server B? SNI (as I understand it) is for matching a domain to a certificate so that multiple domains can be used for one Virtual Server. I don't think it has anything to do with routing in the sense of directing traffic for at least how I've used it.

     

    In the end, a virtual server is a listener and just like you can't have two hosts with the same IP address on a network, due to the obvious IP conflict, you cannot have two Virtual Servers with the same IP address and Port. You can have the same IP address with a different port (i.e. 10.0.10.10:443 and 10.0.10.10:22).

     

  • I'm coming from NGINX, that's probably where my thinking goes wrong. On NGINX I just add another "server" listening on the same IP:port combination, but with a different "Server Name".

     

    Thanks for the quick replies!

     

  • Hey Mischa

     

    I'm sorry but it is a bit confusing.

     

    Do you have a wildcard certificate? Meaning that certificate is issued for *.domain.com? In that case you only need to use a single Client SSL Profile where you have assigned the certificate.

     

    Client SSL Profile

     

    • Name: wildcard_domain_com
    • Certificate: wildcard_domain_com.crt
    • Key: wildcard_domain_com.key

    Then you create one single virtual server, for instance:

     

    Virtual Server

     

    • VS Name: vs_wildcard_domain_com
    • Destination IP: 10.0.0.1
    • Service port: 443 HTTPS
    • HTTP profile: http
    • SSL Profile (Client): wildcard_domain_com
    • Source Address Translation: Auto Map
    • NO DEFAULT POOL

    Pool 1

     

    • Name: pool_sub1_domain_com
    • Member: 172.16.1.10:80

    Pool 2

     

    • Name: pool_sub2_domain_com
    • Member: 172.16.1.20:80

    Now to the "tricky" part. In order to load balance to different pools you need an irule that will check the host header inside the HTTP request and load balance based on that. Luckily, there is an iRule created just for this named ProxyPassiRule. You can download it here:

     

    ProxyPass v10/v11

     

    Download this iRule and assign to the VS.

     

    Then navigate to Local Traffic > iRules > Data Group List and create the following Data Group List:

     

    • Name: ProxyPassvs_wildcard_domain_com
    • Type: String

    Then enter the following values:

     

    Subdomain 1

     

    • String: sub1.domain.com/
    • Value: sub1.domain.com/ pool_sub1_domain_com

    Subdomain 2

     

    • String: sub2.domain.com/
    • Value: sub2.domain.com/ pool_sub2_domain_com

    This should give the results you're after.

     

    And on another note, you do not need SNI for this because you are intercepting the SSL traffic by having a Client SSL Traffic. So the HTTP Host header will be readable by the BIG-IP.

     

    SNI Load-balancing will only be needed when you have a HTTPS VS without a Client SSL Profile. Because in that case the HTTP Host Header will be encrypted. In that case we use the SNI which is part of the Client Hello in the SSL Handshake.

     

    I hope this helps!