Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Thiago_Morais's avatar
Thiago_Morais
Icon for Altostratus rankAltostratus
Feb 03, 2021

VIP using two different URL and certificates

I have a scenario that the server team is asking to create a VS in the F5 that will be used by an external application to access an internal application using API. But in the scenario, there are some...
application delivery
big-ip
LTM
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Feb 04, 2021

Hi Thiago,

 

I understand that you have one external hostname for your app and one internal. In your example url1.domain.com for external and url2.domain.com for internal.

And that you have different paths for internal and external. External might be /dirA/index.html, while internal might be /dirB/index.html.

So for users accessing the app via url1.domain.com you want to rewrite the HTTP::host and (partially) the HTTP:path so that they match the internal ones, right? That can be done with iRules or with LTM Traffic Policies. I find this picture handy to learn the terminology.

 

For the SSL bridging, 90% of the cases can be satisfied with the default serverssl profile, it is sufficient to establish a connection to a pool member using https. Unless you have requirements on the serverside, like SNI or SSL protocol, this serverssl profile will do.

 

Best of luck

Daniel

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Feb 04, 2021

      Hi Thiago,

      I would use a LTM Traffic Policy instead on an iRule and also I would pay attention if maybe you want to rewrite the Referer header too.

      In a Traffic Policy you would do it like this (tmsh output)

      ltm policy policy_route_url1.domain.com {
    controls { forwarding server-ssl }
    requires { http }
    rules {
        match_url1.domain.com {
            actions {
                0 {
                    http-host
                    replace
                    value url2.domain.com
                }
                1 {
                    http-referer
                    replace
                    value "tcl:[regsub -nocase {url1.domain.com} [HTTP::header Referer] {url2.domain.com}]"
                }
                2 {
                    forward
                    select
                    pool pool_url2.domain.com
                }
            }
            conditions {
                0 {
                    http-host
                    host
                    values { url1.domain.com }
                }
            }
        }
    status published
    strategy first-match
}

      KR

      Daniel

    • Thiago_Morais's avatar
      Thiago_Morais
      Icon for Altostratus rankAltostratus
      Feb 04, 2021

      Thanks, Daniel

       

      The configuration is ready to be applied in the F5, after that, I'll let you know.

    • Thiago_Morais's avatar
      Thiago_Morais
      Icon for Altostratus rankAltostratus
      Feb 06, 2021

      Hi Daniel

       

      I don't know how, but the external application gets access to the internal application through the Virtual Server, but I don't have to configure police or iRule. The Virtual Server was configured to Standard type, SSL Client Profile was configured to use the external certificate, and SSL Server Profile was configured to use the internal certificate. When I applied all configurations in the F5, in the first test, the access was done successfully.