Forum Discussion
NimbostratusMultiple Websites on Single VIP
Hi,
I have multiple websites which are currently on Microsoft TMG. I want to migrate them to F5. There are multiple URLS hosted on different servers which are running on different ports as well.
I have only one Public IP. I have created pools for different servers and i have applied the certficate on the VIP as well.
All the traffic should be SSL from the client side.
My requirement is
if any user type
https://site1.test.com/ http://site1.test.com/ www.site1.test.com
it should go
======================
https://site2.test.com/ http://site2.test.com/ www.site2.test.com
it should go
=================================
https://site3.test.com/ http://site3.test.com/ www.site3.test.com
it should go
I have created multiple pools and will recall them in the irule.
How can i achieve this. Single VIP with multiple Website which require SSL offload as well as redirection of URL.
25 Replies
Brad_Parker_139Nacreous
I would use two VIPs, one for HTTP and one for HTTPS. On the HTTP VIP you will want to create an iRule that redirects to HTTPS. You can use the built in iRule that exists for this, _sys_https_redirect or somthing like this if you want a 301 if you ever plan to use HSTS:
when HTTP_REQUEST { set my_loc "https://[HTTP::host][HTTP::uri]" TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close }On the HTTPS VIP you will want to create a client SSL Profile for each site and use the "Server Name" field to enable SNI. With SNI you will need to create one of those profiles as the default for legacy clients, but you can also set the default profile to require SNI if you so desire.
Wasim_Hassan_13I have applied the rules, for default bulitin HTTP to HTTPS and one has mention below ltm rule PROXY_TEST2 { partition REVERSE_PROXY when HTTP_REQUEST { set my_loc "https://[HTTP::host][HTTP::uri]" TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close } I have created two VIP one for HTTPS and one for HTTP but no luck. i can see the hit on VS and secuirty error page but not able to open the page.
Brad_ParkerCirrus
I would use two VIPs, one for HTTP and one for HTTPS. On the HTTP VIP you will want to create an iRule that redirects to HTTPS. You can use the built in iRule that exists for this, _sys_https_redirect or somthing like this if you want a 301 if you ever plan to use HSTS:
when HTTP_REQUEST { set my_loc "https://[HTTP::host][HTTP::uri]" TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close }On the HTTPS VIP you will want to create a client SSL Profile for each site and use the "Server Name" field to enable SNI. With SNI you will need to create one of those profiles as the default for legacy clients, but you can also set the default profile to require SNI if you so desire.
- Wasim_Hassan_13I have applied the rules, for default bulitin HTTP to HTTPS and one has mention below ltm rule PROXY_TEST2 { partition REVERSE_PROXY when HTTP_REQUEST { set my_loc "https://[HTTP::host][HTTP::uri]" TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close } I have created two VIP one for HTTPS and one for HTTP but no luck. i can see the hit on VS and secuirty error page but not able to open the page.
- Brad_Parker
So the redirect sends you from HTTP to HTTPS correctly and you are presented a certificate. Does the certfiicate match what you would expect to be presented? i.e. https://site1.test.com/ is presented the certificate for site1.test.com?
- Wasim_Hassan_13
Yesr SSL profile is applied.
But none of the site is opening. Just to know that i didnt recall any pool in the irule or anywhereelse in the config. HOw it will work ????
- Brad_Parker_139
I just noticed you wanted to account for www in your HTTP-HTTPS redirect so here's an update example for that irule:
when HTTP_REQUEST { if {[string tolower [HTTP::host]] starts_with "www."}{ set host [string range [HTTP::host] 4 end] } else { set host [HTTP::host] } set my_loc "https://$host[HTTP::uri]" TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close }The irule for the pool selection on your HTTPS VIP could look something like this:
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "site1.test.com" { pool site1_pool } "site2.test.com" { pool site2_pool } "site3.test.com" { pool site3_pool } default { pool default_pool } } }Hope this helps.
- Wasim_Hassan_13you mean to say I will apply two irules to HTTPS VIP, one for the pool and one for the header/www etc. One redirect which will be on the HTTP VIP.
- Brad_Parker_139One irule, the top one, for your HTTP VIP to handle to redirects(including accounting for www adn redirecting without it) and one iRule, the second one on the HTTPS VIP for pool selection.
Fabio_Garcia_14Hello guys,
I was checking this issue from 2014, but I got a question... if I have a lot os sites to configure in this IRULE example? Is it a problem for BIG IP appliance? I mean concerning CPU, memory usage... etc etc.... Thanks in advance!!
- Brad_Parker
I just noticed you wanted to account for www in your HTTP-HTTPS redirect so here's an update example for that irule:
when HTTP_REQUEST { if {[string tolower [HTTP::host]] starts_with "www."}{ set host [string range [HTTP::host] 4 end] } else { set host [HTTP::host] } set my_loc "https://$host[HTTP::uri]" TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close }The irule for the pool selection on your HTTPS VIP could look something like this:
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "site1.test.com" { pool site1_pool } "site2.test.com" { pool site2_pool } "site3.test.com" { pool site3_pool } default { pool default_pool } } }Hope this helps.
- Wasim_Hassan_13you mean to say I will apply two irules to HTTPS VIP, one for the pool and one for the header/www etc. One redirect which will be on the HTTP VIP.
- Brad_ParkerOne irule, the top one, for your HTTP VIP to handle to redirects(including accounting for www adn redirecting without it) and one iRule, the second one on the HTTPS VIP for pool selection.
- Fabio_Garcia_14
Hello guys,
I was checking this issue from 2014, but I got a question... if I have a lot os sites to configure in this IRULE example? Is it a problem for BIG IP appliance? I mean concerning CPU, memory usage... etc etc.... Thanks in advance!!
- Wasim_Hassan_13
Hi,
I tried below config but no luck.
ltm virtual VS_RProxy_80 { description VS_RProxy_80 destination 192.168.216.33:http ip-protocol tcp mask 255.255.255.255 partition REVERSE_PROXY profiles { /Common/http { } /Common/tcp { } } rules { /Common/_sys_https_redirect } source 0.0.0.0/0 vlans { RPROXY_EXT_316 } vlans-enabled vs-index 244
ltm virtual VS_RProxy_443 { description VS_RProxy_443 destination 192.168.216.33:https ip-protocol tcp mask 255.255.255.255 partition REVERSE_PROXY persist { Reverse_Proxy_Persistence { default yes } } profiles { /Common/http { } /Common/tcp { } Reverse_Proxy_Cert { context clientside } } rules { TEST-1 PROXY_TEST2 } source 0.0.0.0/0 source-address-translation { type automap } vlans { RPROXY_EXT_316 } vlans-enabled vs-index 242 ltm rule TEST-1 { partition REVERSE_PROXY when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "enoclubricants.com" { pool ENOCLUBRICANTSPP1 } "enocvettingsiredev.enoc.com" { pool ENOCVETTING } "wrench.enoc.com" { pool WRENCH_POOL } default { Use pool attached to virtual - no action required } } ltm rule PROXY_TEST2 { partition REVERSE_PROXY when HTTP_REQUEST {set my_loc "https://[HTTP::host][HTTP::uri]" TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close }
But still not able to see any web page.
- Brad_ParkerI added a comment above for the previous question. Looking at your config here, do you have one certificate that will cover the three different domains? or do you have three different certificates? You only have one client-ssl profile attached. If you have three different certificates, you will need three different profiles with SNI enable by using the "Server Name" field mentioned in my first comment.
- Wasim_Hassan_13yes i have the certificate which has all websites names and i have recall the exact the same profile in the client ssl profile.
- nitass
Employee
I tried below config but no luck.
can you try to remove PROXY_TEST2 irule from VS_RProxy_443 virtual server and see if it makes any different?
- Wasim_Hassan_13
I have removed the irule only i have only one irule on the HTTPS VIP. but still the same.
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "enoclubricants.com" { pool ENOCLUBRICANTSPP1 } "enocvettingsiredev.enoc.com" { pool ENOCVETTING } "wrench.enoc.com" { pool WRENCH_POOL } default { Use pool attached to virtual - no action required } } }
nitass_89166Noctilucent
can you add some logging?
e.g.
when HTTP_REQUEST { log local0. "client=[IP::client_addr]:[TCP::client_port] host=[HTTP::host] uri=[HTTP::uri]" switch [string tolower [HTTP::host]] { "enoclubricants.com" { pool ENOCLUBRICANTSPP1 } "enocvettingsiredev.enoc.com" { pool ENOCVETTING } "wrench.enoc.com" { pool WRENCH_POOL } default { Use pool attached to virtual - no action required } } } when HTTP_RESPONSE { log local0. "client=[IP::client_addr]:[TCP::client_port] pool=[LB::server pool]" }- Wasim_Hassan_13how to check the logs, i have applied the irule which you mention above.
- nitass_89166log will be written to /var/log/ltm
