Ferg_104721
Feb 28, 2011Nimbostratus
Work-around if you dont have www SSL
Hey,
This is a work around if your need a client needs to be able to have a DNS entry for *.site.test.com but doesn't want to pay for a SAN cert which has www.*.site.test.com and *.site.test.com
This will not get them www working in the browser window. (unless you could capture the SSL error and force a redirect)
Scenario: 2 VIPS, one on 80, one on 443. SSL for 443 has *.site.test.com, 2 irules. The 80 VIP is setup like a 80 to 433 redirect VIP but instead of a class use irule for 80. The seconf irule is if you need to strip the www. for the backend servers.
Example:
*user connects to http://1.site.test.com gets through as expected
*user connects to http://www.1.site.test.com, irule 80 looks for www. strips the www. from header and redirect to https:// with correct header information, SSL kciks in and all is gravey.
*user connects to http://1.site.test.com gets through as expected
*user connects to https://www.1.site.test.com, fail as youe SSL cert is *.site.test.com (SSL error capture may help here, but i only just thought of that.)
443 VIP irule
when HTTP_REQUEST {
if {[HTTP::header value Host] contains "www."} {
set org_header [HTTP::header value Host]
set new_header [string range [HTTP::host] 4 end]
HTTP::header replace Host "$new_header"
}
}
80 VIP irule
when HTTP_REQUEST {
if {[HTTP::header value Host] contains "www."} {
set new_header [string range [HTTP::host] 4 end]
HTTP::redirect https://$new_header[HTTP::uri]
} else {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
If this makes no sense at least i havent hurt anyone, if it helps soemone sweet :D
Ferg