Forum Discussion
Policies to move HTTPS traffic
Hi John,
yes, it is possible. You could use LTM Traffic Policies to match the HTTP Host value and forward traffic to the pool accordingly. Get started with this article: devcentral - LTM Policy
A policy rule could look like this
And for the SSL profile take a look at this solution: K13452: Configure a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature
With SNI you can configure which SSL certificate will be used to authenticate the VS to the client and to secure the connection.
KR
Daniel
- John_KrumJul 07, 2021CirrusI have looked at the first reference link earlier as well. Here is more detail regarding what I am trying to accomplish. I have a outside firewall NAT for incoming 443 traffic on 96.103.236.222 that forwards that traffic to a LTM VIP 192.168.5.5 listening on 443. I am trying to have sites Viewforms.mycompany.org And Employee.mycompany.org (I am also thinking it might be better to do Mycompany.web.org/viewforms And Mycompany.web.org/employees But the first one is preferred) The VIP is basic. HTTP profile is HTTP – I have to select a http or a http-connect profile (this is where I am not sure why I require an http profile, it makes me think that the server connection is http) Automap Resources I don’t have a default pool selected (I did to verify I get the login page prior to adding a policy) Policy is DMZ-Cop DMZ-Cop is Match HTTP Host -> host -> is -> any of -> Viewforms.mycompany.org or viewforms -> at request time Do the following Forward traffic -> to pool -> viewforms-pool When I https to the page Viewforms.mycompany.org I do not see any policy statistics, invoked or succeeded. I haven’t tried adding any info for the second site. Once I change the VIP config http profile (client) to http – I no longer connect to the login page. I do see TCP handshake, Client Hello, and an ACK to that. 1.5 seconds later a FIN from my side. Thanks John Krumenacher
- Daniel_WolfJul 07, 2021MVP
This is gonna be a detailed one...
First of all the virtual server - you mentioned that publishing the virtual server with port 443.
So your virtual server should have a HTTP profile and several clientside SSL profiles.
No serverside SSL and also using SNAT Automap (in prod I'd use SNAT Pool).
In this example I have one for each FQDN.
This is how my VS looks like.One of the clientside SSL profile has the checkbox "Default SSL Profile for SNI"checked.
All others have only a Server Name set.
However all SSL profiles have the same Key / Cert, but all FQDNs are in the SAN.
And finally this is my LTM Traffic Policy for content switching based on FQDN.
You could add a logging action too, to each rule to check whether the condition is matched.
- John_KrumJul 07, 2021CirrusDaniel, Are you sending screen shots as well? This is what I am seeing. [cid:image004.jpg@01D7733B.FF300200] I have added a copy of the clientssl which I added the option Default SSL Profile for SNI. It was the default_ssl_sni line item that made me think there was more to the picture that I should be referencing as well. Thanks John Krumenacher
- Daniel_WolfJul 07, 2021MVP
I cannot see the screenshot you sent, but I would say this solution is covering all required configurations: https://support.f5.com/csp/article/K13452
- John_KrumJul 07, 2021CirrusDaniel, Looking closer at the pcaps and the conf VS to serve multiple HTTPS sites I switched up my policy. Now I can see that the policy is getting both invoked and succeeded hits of equal amounts. DMZ-Cop is Match SSL Extension -> server name -> is -> any of -> Viewforms.mycompany.org or viewforms -> at client hello Do the following Forward traffic -> to pool -> viewforms-pool I have the same end results. No Server hello in reply to the client hello. I assume this is due to the fact that the server has the cert and I am directing traffic to it via a profile? [cid:image003.jpg@01D77337.919E86C0] Thanks again, John Krumenacher
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com