Forum Discussion

donmon_10187's avatar
donmon_10187
Icon for Nimbostratus rankNimbostratus
Oct 14, 2013

Using iRules to conserve public IP addresses

Hello all,

I've been tasked with coming up with a solution using one public IP address and laod balancing it to multiple pools using iRules and host-headers. Currently, we're doing a one to one NAT. I created a virtual server and used the iRule below, which is using Data Groups. I was able to successfully accomplish this for http but I cannot get https to work. If anyone can provide some input, I'd much appreciate it. 

    when HTTP_REQUEST {
if { [class match [string tolower [HTTP::host]] equals TestRedirect] } {
  set usepool [class match -value [string tolower [HTTP::host]] equals TestRedirect]
  pool $usepool
}
}

Here is the Data Group for the http pools. 

ltm data-group internal /Common/TestRedirect { 
    records { 
        TESTA.net { 
            data TESTA_80_pool 
        } 
        TESTB.org { 
            data TESTB_80_pool 
        } 
        TESTC.com { 
            data TESTC_80_pool 
        } 
    } 
    type string 
}
application delivery
data groups
devops
host-headers
iRules
  • Lee_Payne_53457's avatar
    Lee_Payne_53457
    Oct 14, 2013

    I was assuming that they wanted it to be seamless rather than present a cert error but you are correct, if you didn't mind the cert error appearing any cert applied to a client SSL profile would work for this.

     

  • Lee_Payne_53457's avatar
    Lee_Payne_53457
    Icon for Cirrostratus rankCirrostratus
    Oct 14, 2013

    The only way this would work is if you had a SSL certificate containing SAN's for each domain you want to use for your iRule, without a proper SSL cert to decrypt the traffic what you want to do is impossible.

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 14, 2013

    Would it be impossible? You'd need a client SSL profile so the f5 can decrypt the traffic so the irule can inspect the http traffic. Then if there is a cert mismatch wouldn't you just get the certificate warning in the browser and need to click on Continue? Not pretty of course so yes, you'd want a wildcard cert of some description.

     

  • Lee_Payne_53457's avatar
    Lee_Payne_53457
    Icon for Cirrostratus rankCirrostratus
    Oct 14, 2013

    I was assuming that they wanted it to be seamless rather than present a cert error but you are correct, if you didn't mind the cert error appearing any cert applied to a client SSL profile would work for this.

     

  • donmon_10187's avatar
    donmon_10187
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2013

    Thanks for the information guys. I'll explore the options. Seamless is what we'd want but I'll need to build the solution first and go from there.