Understanding hor to write iRules - Switch SSL certs based on subdomain?

Hi Jeff,

 

 

The simplest method might be to use a single wildcard certificate. This would work if each of your subdomains are on the same domain.

 

 

If you want to use a separate cert per subdomain, they you run into an issue described before in this forum. In order to view the hostname of an HTTPS request, you have to have performed the SSL handshake. In order to perform the SSL handshake, you have to know which cert (and domain) the request is for so you can present the right cert.

 

 

One of the developers described a possible method for figuring out which cert to present based on a prior HTTP request.

 

 

From the post here:

 

 

http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=3071

 

 

There actually is a way though, but it involves thinking a little unconventionally.

 

 

If you allow someone to hit an HTTP page first (on an unencrypted or known-SSL channel prior to redirecting them), and set up a session entry for them based on their source IP address in an iRule, you could retrieve this session entry later at the beginning of an SSL session and use the SSL::profile command to choose the ssl profile you're going to use.

 

 

Note that it's far from foolproof, and may not work for megaproxies and NATs, but it does sorta work.

 

 

 

If you can't/don't want to use a wildcard cert, and want to try the second method you might reply here and ask for assistance in building such a configuration/rule.

 

 

Aaron