Forum Discussion

Jim_M's avatar
Icon for Cirrus rankCirrus
Sep 06, 2022

supporting a http2 sni website with f5 ltm?

I have a website which is working fine directly from browser to server. But not via f5 (v16.1.2).

The session uses https 443, tls1.2, http2.0, and the server relies on SNI. When via F5, the client browses  F5 presents a wildcard cert for which the browser is happy with.  F5 forwards to backend  The node in the pool uses FQDN to resolve I have tried using host header replacement via an irule to enforce host header being I have tried creating a custom server side ssl profile which has the "server name" field set to

Unfortunately the backend still does not see the traffic as being for in the same way that a direct browser session would behave. Is there irule logging i can apply to see exactly what request is being sent from F5 to the backend?

8 Replies

  • I believe you're on the right lines by including the server name in the server SSL profile, but I think (even if there's only one profile) you have to enable the "serverssl-use-sni" feature on the Virtual Server:

    If that isn't working then you could probably pull the SNI field out of the server side connection using iRules and the SSL::extensions command. Kai_Wilke has an example of inserting the SNI header here (which is an alternative for versions earlier than 15.1.x or if you didn't want to use multiple SSL profiles and the serverssl-use-sni featurea) which could be used as the basis to build a rule to extract and log the header instead.

  • Not to rock any boats, but the distributed cloud prefers SNI. It's remarkably easy to get going.

  • Where are you seeing the problem - is it on the back-end SSL handshake? What is the serverSSL profile configuration? Does the server have a wildcard certificate as well? 


  • Sorry for the ignorance; what is "the distributed cloud"?

    • F5's Distributed Cloud (or XC) is the next generation platform for ADC from F5. It's a VERY different methodology than BigIP. F5's "devices" for XC, or Customer Edge Nodes, are actually SDN routers, not ADC appliances. 

  • So the problem is only that ur sending to your node but you have this hostname not configured and your node only listen to So a simple Hostname Header rewrite is enough? Then create a LTM Policy with when host is rewrite to 

    iRule for logging? something like this 

       log local0. "Client [IP::client_addr] This is the HTTP Host [HTTP::host]"
       log local0. "Query string of URI: [HTTP::uri] is [URI::query [HTTP::uri]]"



    • Jim_M's avatar
      Icon for Cirrus rankCirrus

      I suspect SNI is required.  I have applied a host header rewrite but that wasnt sufficient.

      Also, regardin the logging, does that irule log the client request? Or the request format as sent from F5 to backend?

      • Okay I never used server-side sni before. Did you tried what AaronJB suggested? 

        The iRule logs the request form F5 to Backend.

        http_request = client to f5 and http_request_release = f5 to backend