Forum Discussion
vishu_chavan
Altocumulus
AltocumulusRestricting access to a virtual server by Public IP address should access through only domain name.
We had Published website on F5 with Domain name ,now created domain is aviable in public ,but publish website is also accessible with ip address in public domain.( we have created server pool...
seems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.
https://my.f5.com/manage/s/article/K14620#3
once done you check your domain for any ssl issue by running test in below link
https://www.sslshopper.com/ssl-checker.html
vishu_chavanAltocumulus
AltocumulusThanks for your reply .Tried your solutions
I applied Client SSL / Server SSL profile & HTTP profile on website and added iRule for website
iRule script below
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"www.domian.com"
{
return
}
default {
reject
}
}
}
All Setting Successfully applied .Now i can access website with only domain name ,BUT while accessing website with domain its show my ssl certificate is expired .Treid to view same certificate it show some IT or local certificate .
As earier my website ssl certificate is secure and working.
Kindly suggest for same .
Thanks in advance.
ragunath154
Cirrostratus
Cirrostratusseems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.
https://my.f5.com/manage/s/article/K14620#3
once done you check your domain for any ssl issue by running test in below link
https://www.sslshopper.com/ssl-checker.html
- vishu_chavan
Thanks for adivise .
Now i can access website only through Doamin name but not by Ip address.
All setting sucessfully applied and working .Thanks all
But just i need some information on iRule
As per now i have to create separate iRule for every virual server pool .
Ist possbile to have single iRule which can be applied for all virtual server . bcoz there is Limit of space size for iRule.
my current iRule
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"www.domian.com"
{
return
}
default {
reject
}
}
}- ragunath154
hope you have multiple domains mapped to each virtual and need to restrict to request with domain not IP based with a single irule.
for this you can use the irule with datagroup , where datagroup have list of domains
eg:
when HTTP_REQUEST {
set domain [HTTP::host]if {![class match $domain equals mydomain-DG} {
HTTP::respond 403 "Forbidden"
drop
}
}as per this irule if the request doest match the domain in mydomain-DG datagroup then it will be de dorped. ,
you need to create a datagroup named mydomain-DG and the you domains- vishu_chavan
Hi all
Thanks to all for reply
Now my webiste is up and working with domain name , but after making virtual server for Domain
i am getting incoming interface IP address instead of original Public source ip address in logs for virtual server in firewall which is placed below F5 ( i can see orginal Public source ip address in F5 logs but not in Firewall )
Traffic Flow
Public Network-------------->F5--------------------->FIREWALL
I am use SNAT for Published Domain.
Is there any setting in Virtual pool /Server ,where i can get orginal public address in F5 and Firewall logs.