Forum Discussion
Nimbostratusredirect https request based on hostname
Team,
I'm new to Irules. Need your suggestion on the below request
I have an existing VIP (https://www.abc.com 10.10.10.10:443) which has a pool member (1.1.1.1:443) and ssl is offloaded on the server end.
Now I have new request from the client asking the below
Need new VIP ( which needs to be pointing to same Virtual IP 10.10.10.10 as above but needs to be loadbalanced to the same server 1.1.1.1 but different port 8032
Can I use Irule to redirect the https request based on hostnames?
11 Replies
Vijay_ECirrus
You need to terminate the SSL on the F5 in order to be able to read the host header. Based on your statement, it looks like you are terminating the SSL on the server.
Assuming that you terminate the SSL on the F5, you can use something like this:
when CLIENT_ACCEPTED { set DEFAULT_POOL [LB::server pool] } when HTTP_REQUEST { if { [HTTP::host] eq "www.abc.com" } { pool POOL_ABC } elseif { [HTTP::host] eq "www.xyz.com" } { pool POOL_XYZ } else { pool $DEFAULT_POOL } }
Yann_DesmarestHi,
if you can't do ssl offloading on the bigip, you can rely on the Server Name Indication extension delivered by clients on the SSL handshake.
You can try and modify the irule in this link :
https://devcentral.f5.com/codeshare?sid=717
- Yann_Desmarest
Hi,
Regarding Odaah irule, you can improve a bit the irule :
when CLIENT_ACCEPTED { set DEFAULT_POOL [LB::server pool] } when HTTP_REQUEST { switch [HTTP::host] { "www.abc.com" { pool POOL_ABC } "www.xyz.com" { pool POOL_XYZ } default { pool $DEFAULT_POOL } } }
parvez_70211Now if the SSL is terminated on the LB. Can I have two client SSL profile linked to the same VIP?? Basically what I'm trying say is that I already have a CA cert for CN: www.abc.com Do I order another cert with CN: www.xyz.com and associate both clientssl profiles to the same vip?- parvez_70211I know single cert with SAN will help my case but will it work with 2 different certs? Yann, can I write an Irule similar to the one you provided above with the help of data objects??
- Yann_DesmarestHi, yes you can use 2 certs. That case, you need to configure ssl profiles using SNI feature. I provided you with an article on that topic in the post below. let me know if it fits your need
Yann_Desmarest_Nacreous
Hi,
Regarding Odaah irule, you can improve a bit the irule :
when CLIENT_ACCEPTED { set DEFAULT_POOL [LB::server pool] } when HTTP_REQUEST { switch [HTTP::host] { "www.abc.com" { pool POOL_ABC } "www.xyz.com" { pool POOL_XYZ } default { pool $DEFAULT_POOL } } }- parvez_70211Now if the SSL is terminated on the LB. Can I have two client SSL profile linked to the same VIP?? Basically what I'm trying say is that I already have a CA cert for CN: www.abc.com Do I order another cert with CN: www.xyz.com and associate both clientssl profiles to the same vip?
- parvez_70211I know single cert with SAN will help my case but will it work with 2 different certs? Yann, can I write an Irule similar to the one you provided above with the help of data objects??
- Yann_Desmarest_Hi, yes you can use 2 certs. That case, you need to configure ssl profiles using SNI feature. I provided you with an article on that topic in the post below. let me know if it fits your need
- Yann_Desmarest
Hi,
You can use either up to 3 certificates on the client side, but need to play with SNI
here you can found how to configure it : https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html
If you own every domain, you can just order a SAN multi domain certificate with your public CA provider. This way, you can just add one clientssl profile with this certificate that cover both domains.
