Regular SSL/TLS for user connections to the LTM, with SNI support from LTM to the real webservers?

Posted By Kevin Stewart on 10/19/2012 12:21 PM

 

Try the Host header replacement method I described without setting the Server Name field. Still looking into why this works though.

 

 

Have you considered wildcard or SAN certs for the client SSL profile(s)?

 

 

Also curious why you're doing SNI on the back end.

 

 

Thanks for the suggestion. We're not considering SAN or wildcard certs as we host hundreds of websites (this isn't just for 3-4 sites). We like the idea of SNI on the backend in order to reduce the need for 1-ip-per-site on the backend. This way, we can do name based Apache virtual hosting with SSL without so many IPs (so our hundreds of sites still get the correct port and url scheme without us having to change anything).

 

 

Do you know of any other way mass-virtual hosting is being done with an F5 and SSL? It's prohibitive for us to ask all of our hosting customers to change code, and we'd love to stop putting 100+ IPs on each web server.