For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pgermain_71805's avatar
pgermain_71805
Icon for Nimbostratus rankNimbostratus
Mar 02, 2010

Rewrite Host and Select Different SSL Profile

Hello,

 

 

We have a current URL and cert combo that doesn't work because the web servers behind it got moved, but I need to figure out how to write an iRule on the LTM to get it working again, albeit it with some rewrites on the F5 that are transparent to the customer.

 

 

We had a site, service.service.com and an associated cert. It went away, but some customers still hit the URL.

 

 

 

I want to...

 

 

1) Rewrite the host name that gets sent to the internal web server. I think I found something for that already. The following rule should rewrite the host name that gets sent internally while keeping the customer in the dark about the name change.

 

 

when HTTP_REQUEST {

 

if { [HTTP::header "Host"] eq "service.service.com" } {

 

HTTP::header replace "Host" "service2.service.com"

 

}

 

}

 

 

2) Prevent a cert error.

 

 

The only way I can think of to do this is to take the previous rule and also have it use a different SSL Client profile than the default on the virtual server.

 

 

I haven't found this second part. If it exists, I would like to have it in one big iRule.

 

 

If anybody knows how to do this, it would help us greatly.

 

 

Thanks,

 

 

Paul

 

 

PS. This URL is an example and not the real URL.
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 02, 2010
    Hi Paul,

     

     

    Do both hostnames resolve to the same IP address? If so, in order to prevent a mismatched cert warning, you'd need to get a cert which is valid for both hostnames or configure a separate virtual server address and change the DNS record for one hostname. A single cert is generally only an option if both hostnames are on the same domain.

     

     

    See this post for more info:

     

     

    ssl redirect not working

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=1167658&ptarget=1144662

     

     

    If this isn't the case, can you elaborate on the scenario?

     

     

    Thanks,

     

    Aaron
  • pgermain_71805's avatar
    pgermain_71805
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2010
    Thanks Aaron,

     

     

    They do both resolve to the same IP address. I thought there might be some trick to have it choose a different ssl profile based on the host variable. If there isn't, then it is what it is.

     

     

    Paul

     

     

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 02, 2010
    At some point we'll be able to select the correct cert using a TLS extension. But until most browsers support it (or if you have a controlled client base), it's not practical to bother with. See this post for details:

     

     

    SSL client profile based on hostname

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3071

     

     

    Aaron