Forum Discussion
Query a pool according to the hostname without opening the encryption
Hello
In an https connection the only thing that can be seen is the IP and hostname. How can I choose the pool to send a connection to depending on the hostname without opening the encryption?
Best regards
You can achieve it using a traffic policy matching on SSL Extension server name:
- zamroni777Nacreous
adding to Amine_Kadimi ,
most clients send intended server hostname during SSL session setup, so that SSL server can response with proper server's certificate.
this method allows same server serves mutiple SSL hostnames using different certificate for each hostname.
the sample config above actually reads that hostname.you can read more about TLS SNI here:
https://www.cloudflare.com/learning/ssl/what-is-sni/ Hi MABSJ,
My reply could be long but it will help you understand SNI once for all if you are starting it for first time.
SNI (listed in RFC 4366) is an extension to the TLS protocol that allows the client to include the requested hostname in the first message of the SSL handshake (Client Hello).
This allows the server to determine the correct named host for the request and setup the connection accordingly from the start.
You can configure the BIG-IP for SNI on the client-side as well as server-side SSL connection by using the Server Name setting on multiple Client SSL profiles and enabling the clientssl-use-sni property AND/OR on multiple Server SSL profiles and enabling the serverssl-use-sni property (BIG-IP 15.1.0 and later) .
In order to apply multiple SSL profile on F5 VIP we need to collect the following information per VIP, as we have SSL bridging , hence I guess the SNI has to be applied on Server-side as well as client-Side SSL profiles both but not sure.
Every SSL profile must be now using SNI enabled property in the configuration to apply the SNI property.
Use and make copies of the following table for each VIP , and based on if it is an SSL offloading(use only client SSL profile section ) or SSL bridging (use both client SSL profile as well as server SSL profile sections)
Note: You can skip collecting following details for this procedure if you have an SNI enabled virtual server with a fallback client SSL profile that is already configured and assigned. Additionally, for clients that do not support TLS SNI, if the requested server name does not match the certificate and key pair for the fallback profile, clients receive certificate warnings.
Here is more details with the help of example on understanding SNI in reference to F5 perspective.
How does SNI work?
During the Client Hello phase of TLS negotiation, the client sends a hostname in the SNI field. In a browser, it is the hostname that is in the browser address bar.
Browser Requesting a TLS Site
TLS Client Hello Showing SNI
But wait, isn't TLS encrypted? How can the server or reverse proxy even see the SNI field?
It is not encrypted because SNI is transmitted from client to server before the TLS handshake is complete...meaning, the SNI field is not encrypted. Take a minute to look at the diagram below which shows the TLS negotiation process.
TLS Negotiation
Implementing SNI with F5 LTM
This post will outline the process on F5's LTM load balancer, but I'm pretty sure it's possible using other load balancer/reverse proxy solutions.
SNI is supported in the following browsers:
- Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
- Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
- Firefox 2.0 or later
- Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
- Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
- Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)
SNI on the F5 Big-IP platform was introduced in the 11.1.0 release. Solution article SOL13452 is the official F5 guide for this implementing SNI.
Create a Client SSL Profile for Each FQDN
For each FQDN you will create a client SSL profile as shown below.
Also, you must create a fallback SSL profile to use if a client presents an SNI that does not match any other profile, or if the client does not present an SNI at all.
Make sure you select Default SSL Profile for SNI, and if you want to deny all connections that do not support SNI, you can also select Require Peer SNI support.
Apply multiple SSL profiles to an HTTPS VIP
Now just apply multiple client SSL profiles as you would apply a single client SSL profile without SNI.
Kindly rate and mark it as SOLUTION if it help resolve your query.
Please find attached the SNI Configuration planning sheet I use.
Reference
K13452: Configure a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature
https://my.f5.com/manage/s/article/K13452#p3
K39408450: Configure a virtual server to present SNI extension to a selected pool member
https://my.f5.com/manage/s/article/K39408450
MABSJ - sheesh there is a lot of good stuff in the answers here. Please select Mark As Solution if this is resolved. That helps others locate the good stuff faster.
Thanks!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com