Forum Discussion
amass87_221296
Nimbostratus
NimbostratusRedirect Options for retired hostname using SSL
So, I am trying to tackle an interesting problem. I have a legacy domain with a certificate that I am trying to retire. I have a new domain, new hostname, new certificate, and separate Virtual Server setup. However, I have no control over users on the Internet with saved links. The URLs referencing this hostname on the legacy domain, have long since been removed from publication. Just looking today, there were still more than 100 active connections. I can perform a redirect, assuming I can un-encrypt the traffic. However, I have a need to retire the associated certificate.
hostname.olddomain.com = VS-1:443
hostname.newdomain.com = VS-2:443
Is there any way to process traffic on port 443 without performing a certificate exchange, so that the user will send their request in a way that I can redirect them without having to un-encrypt the traffic?
Would it be possible to use NAT in some fashion to force the user to a Virtual Server listening on port 80, or will that break due to the https:// in the URL?
I fear that there is no way to solve this problem and I am forced to renew this certificate for another year.
Samir_Jha_52506Noctilucent
Cool. Already you said 1st option to renew cert & redirect old url to new, So browser cache will store. Flash user to update bookmark.
2nd option is to Create alias of "hostname.olddomain.com" in New URL "hostname.newdomain.com" in DNS Level and assign SAN certificate name of both URL. Traffic impact will be less.
How To Generate SAN - https://support.f5.com/csp/article/K13471
In 2nd option your OLD URL(hostname.olddomain.com) IP will be free & all others resources can be utilized in other application.
Kevin_Davies_40Nacreous
Is there any way to process traffic on port 443 without performing a certificate exchange, so that the user will send their request in a way that I can redirect them without having to un-encrypt the traffic?
Their is no way to achieve this without a certificate. When the client types https:// the browser is expecting an SSL conversation after the session is established. Anything else will throw an error. You even can't do a redirect until after the SSL has been established as the F5 cannot read the traffic until that happens.
HTTP::respond 301 Location "https://my new page"Given the above you can trigger a 301 permanent redirect. This means the users browser should cache it and automatically use it the next time the bookmark is used. You may want to check in the new site that customers are coming from the old site page (see Referrer header) and put up a page/or message that the user should update their bookmarks to the new site.