Multiple HTTPS sites on a single IP

Hey Mischa

I'm sorry but it is a bit confusing.

Do you have a wildcard certificate? Meaning that certificate is issued for *.domain.com? In that case you only need to use a single Client SSL Profile where you have assigned the certificate.

Client SSL Profile

• Name: wildcard_domain_com
• Certificate: wildcard_domain_com.crt
• Key: wildcard_domain_com.key

Then you create one single virtual server, for instance:

Virtual Server

• VS Name: vs_wildcard_domain_com
• Destination IP: 10.0.0.1
• Service port: 443 HTTPS
• HTTP profile: http
• SSL Profile (Client): wildcard_domain_com
• Source Address Translation: Auto Map
• NO DEFAULT POOL

Pool 1

• Name: pool_sub1_domain_com
• Member: 172.16.1.10:80

Pool 2

• Name: pool_sub2_domain_com
• Member: 172.16.1.20:80

Now to the "tricky" part. In order to load balance to different pools you need an irule that will check the host header inside the HTTP request and load balance based on that. Luckily, there is an iRule created just for this named ProxyPassiRule. You can download it here:

ProxyPass v10/v11

Download this iRule and assign to the VS.

Then navigate to Local Traffic > iRules > Data Group List and create the following Data Group List:

• Name: ProxyPassvs_wildcard_domain_com
• Type: String

Then enter the following values:

Subdomain 1

• String: sub1.domain.com/
• Value: sub1.domain.com/ pool_sub1_domain_com

Subdomain 2

• String: sub2.domain.com/
• Value: sub2.domain.com/ pool_sub2_domain_com

This should give the results you're after.

And on another note, you do not need SNI for this because you are intercepting the SSL traffic by having a Client SSL Traffic. So the HTTP Host header will be readable by the BIG-IP.

SNI Load-balancing will only be needed when you have a HTTPS VS without a Client SSL Profile. Because in that case the HTTP Host Header will be encrypted. In that case we use the SNI which is part of the Client Hello in the SSL Handshake.

I hope this helps!