F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Martin_Smith_58's avatar
Martin_Smith_58
Icon for Nimbostratus rankNimbostratus
Oct 19, 2012

Regular SSL/TLS for user connections to the LTM, with SNI support from LTM to the real webservers?

Hi there --

 

We have a client base that we truly can't force to support TLS SNI for HTTP traffic. However, we'd like to limit the number of IPs we put on our backend webservers. I'm wondering if it's possible for us to 'upgrade' traffic and add SNI information when the LTM talks to our backend servers.

 

I've noticed there are *many* posts on enabling SNI from browsers to the LTM. I'm specifically not interested in that. I want to enable TLS SNI just from the LTM to our Apache servers (regardless of the HTTP conversation between our browsers/users and the LTM).

 

 

Thanks in advance,

 

 

Martin

 

config
design

11 Replies

Show More
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 07, 2012
    SSL always makes the mass-virtual hosting part challenging, by virtue of the protocols. And one could argue that hardware-based SSL offload is a HUGE scalability win if your security policy will allow it.

     

     

    That said, did you look at the iRule I posted above? It allows you to do SNI on the server side by injecting the name into the TLS extension of the server side CLIENTHELLO message.