Forum Discussion

Adriano_Fabrizi's avatar
Adriano_Fabrizi
Icon for Nimbostratus rankNimbostratus
Nov 30, 2018

use doSSL on correct host header

Hi there, I'm tring to configure an iRule that permit to a Client to use the right SSL certificates based on the correct Host Header. this is neede because we have 2 SSL certificates one for the external clients and one for the internal ones.

So, unique VIP on 443 to unique pool, 2 SSL certificates where the correct one has to be engadged starting from Host header in the client's request.

I'm tryng this at this moment, no luck:

when HTTP_REQUEST { set host_name [string tolower [substr [HTTP::host] 0 ":"]] switch -glob $host_name {

set doSSL 0

"internal_hostname" { set doSSL 1 }
"external_hostname" { set doSSL 2 }

default { HTTP::respond403 content "

403 Forbidden from Loadbalancer" log local0. "[HTTP::host] [IP::client_addr] $host_name unknown" } } }

when SERVER_CONNECTED {

SSL::profile ssl_default



doSSL variable is checked and SSL disabled or profile selected

if {$doSSL == 1} {

    SSL::profile ssl_internal

} elseif {$doSSL == 2} {

    SSL::profile external

}

}

thanks fo your help.

application delivery
BIG-IP
iRules
security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 30, 2018

    A few things,

     

    • The SERVER_CONNECTED event is a server-side event that is triggered after the server-side TCP handshake, and long after the client-side handshake has completed. At this stage in the proxy path, the SSL::profile command would only have access to the server SSL profile.

       

    • I'm guessing you mean to change the certificate to the client (not the server), in which case the HTTP_REQUEST event is also too late. By the time you get to this event, you've already completed the SSL handshake. You therefore cannot make client-side SSL profile changes based on HTTP Host header values.

       

    • Fortunately, modern browsers support the TLS "Server Name Indication" (SNI) extension, so when you navigate to an HTTPS site, the hostname in the browser URL is inserted into the TLS SNI handshake request from the client. BIG-IP can switch between client SSL profiles based on this SNI value. You'd create a separate SSL profile, one for each server certificate. And in each profile you'd enter a Server Name value that matches the desired hostname (the CN and/or SAN value of the certificate). And then add all of these client SSL profiles to the VIP. The VIP will then automatically select the correct profile, and correct certificate based on the client's SNI. No iRules required.