use irule to force SSL profile based on URL

Question

i am new to F5, and this question maybe very basic.
thanks in advance for whoever is helping. 🙂
my situation is: we have 2 web server using same VIP
base on different URL, i am pointing them different pool.
since they also use different SSL profile (both client side and server side)
i want to use irule to assign them different SSL profile base on URL
not sure if is it do able, if so, how?
below is what i have so far:
when HTTP_REQUEST {
  switch [string tolower [HTTP::host]] {
    "a.webone.com" { 
      pool a.webone.com
    }
    "b.webtwo.com" {
      pool b.webtwo.com
    }
   default {
      log local0. "Unknown host to switch: [HTTP::host]"
    }
  }
}

kevin_stewart · Answer

https://support.f5.com/csp/article/K13452

Well, yes. The easiest way to support different client side certificates is to use SNI switching. You create multiple client SSL profiles, each with a different Server Name attribute (that should match the defined certificate CN or SAN), and then include all of the client SSL profiles in a single VIP. Based on the SNI value in the client's ClientHello TLS handshake message, the BIG-IP will switch between the client SSL profiles.
Swapping the server side SSL profile is also pretty straight forward. You'd just add the 
SSL::profile [profile_name]

command to an iRule event. Ref: https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx, and you can even do this in a CPM policy.
But keep in mind for client-side SNI switching, the client SSL profiles all have to be identical, except for the Server Name attribute and cert/key. If you actually need different types of client SSL profiles (like with different ciphers, or client authentication), the you'd have to parse the binary SNI value from the TCP payload. There's plenty of examples of that here, so not terribly difficult.

kevin_stewart · Answer

Client SSL, server SSL, or both?&nbsp;

allan_ivari_304 · Answer

Hi Kevin, i am trying to force both Client and Server SSL.&nbsp;

harshapotharaju · Answer

Hope this helps.&nbsp;
https://support.f5.com/csp/article/K13452&nbsp;
-Harsha.&nbsp;

alvaro_arcila · Answer

Hi Kevin,&nbsp;Would you please provide a link for doing this:&nbsp;"If you actually need different types of client SSL profiles (like with different ciphers, or client authentication), the you'd have to parse the binary SNI value from the TCP payload. There's plenty of examples of that here, so not terribly difficult."&nbsp;I'm new to F5 and I need this:&nbsp;https://domain.com/Customer1/ ---&gt; !AES:!DES...&nbsp;https://domain.com/Customer2/ ----&gt; !TLS1:!TLS1_1:!RSA:!AES:DES&nbsp;Regads,&nbsp;

Forum Discussion

use irule to force SSL profile based on URL

5 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

APM URL Branching tolower

F5 ERR_CONNECTION_RESET

APM Access Policy|SSLVPN | SAML auth questionnaires

Cert Bundle Manager

PKI PIN works for users from one network, not the other.

Related Content

Brute Force protection for single parameter like OTP

iRule Execution Tracing and Performance Profiling, Part 1

Activate serverssl profile in iRule

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

F5 iRules for HTTP compression profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS