Forum Discussion
NimbostratusSelective SSL offload based on URL
EmployeeI am not sure how you have multiple urls on the same vip on 443 unless you are talking subdomains with a wildcard cert. I would be keen to see how you have done it as it would be extremely handy.
Host-based load balancing of HTTPS resources can be accomplished in one of three ways: a single wildcard certificate applied to the client SSL profile, a single SAN certificate applied to the client SSL profile, or multiple SNI-based client SSL profiles applied to the VIP. A wildcard would encompass all potential subdomains, a SAN could encompass several non-related host names, and an SNI config would allow the LTM to switch between client SSL profiles based on the server_name extension in the TLS CLIENTHELLO message. All of these methods, however, require SSL offload to be able to do HTTP-based host/URI evaluation. The method I'm suggesting would allow TLS-capable clients to pass through without SSL offload given that the CLIENTHELLO message is unencrypted and visible in a TCP payload evaluation.
