Forum Discussion

Jason_Peery_467's avatar
Jason_Peery_467
Icon for Nimbostratus rankNimbostratus
Mar 27, 2012

Newbie and Certs

So I realize I don't know as much as I thought I did about how certs work, or how they work with F5, and am hitting a point of frustration beyond which I don't know how to deal with, so I was wonderin...
basic
getting started
new to f5
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Mar 29, 2012
Hi Jason,

For general SSL PKI architecture you could try some of these links:

http://en.wikipedia.org/wiki/Public_key_infrastructure

http://www.sslshopper.com/public-key-infrastructure-pki-overview.html

http://www.symantec.com/connect/articles/introduction-openssl-part-three-pki-public-key-infrastructure

Sorry it's been frustrating for you. If you already have a wildcard cert and key for a subdomain like *.example.com, you should be able import it via the GUI under Local Traffic | SSL certificates. Also import just the root cert you used to generate the wildcard server cert/key. Then create a client SSL profile referencing the wildcard server cert and key and the root cert. Create an HTTP pool with any HTTP server that LTM can reach. Test this to make sure the clientside SSL piece is working.

Once you have that working, create an HTTPS pool for each set of the actual servers you want to load balance to. These pools should probably be specific to the subdomain the client requests for the web application those servers serve content for. Add a server SSL profile to the virtual server to that LTM will re-encrypt the serverside traffic. Add just one of the HTTPS pools to the virtual server. Test to make sure that requests for that specific subdomain work to that pool.

Once you have that working, create an iRule like the following: 


when HTTP_REQUEST {

 Select an HTTPS pool based on the subdomain the client requests

 Save the HTTP host set to lowercase
set host [string tolower [HTTP::host]]

 Check if this is a subdomain
if { $host ends_with ".example.com"}{

 Check the subdomain
switch [getfield $host . 1] {
www {
 host header is www.example.com
pool www_pool
}
app1 {
 host header is app1.example.com
pool app1_pool
}
app2 {
 host header is app2.example.com
pool app2_pool
}
app3 -
app4 -
app5 {
 host header is app3, app4 or app5.example.com
pool app3_pool
}
default {
 host header is something else
pool default_pool
}
}
}
}

If you get stuck with this either reply here or email me (aaron at f5 dot com) and I'll see if I can help.

Aaron