Forum Discussion

Ferg_104721's avatar
Ferg_104721
Icon for Nimbostratus rankNimbostratus
Feb 28, 2011

Work-around if you dont have www SSL

Hey,

 

 

This is a work around if your need a client needs to be able to have a DNS entry for *.site.test.com but doesn't want to pay for a SAN cert which has www.*.site.test.com and *.site.test.com

 

 

This will not get them www working in the browser window. (unless you could capture the SSL error and force a redirect)

 

 

Scenario: 2 VIPS, one on 80, one on 443. SSL for 443 has *.site.test.com, 2 irules. The 80 VIP is setup like a 80 to 433 redirect VIP but instead of a class use irule for 80. The seconf irule is if you need to strip the www. for the backend servers.

 

 

Example:

 

*user connects to http://1.site.test.com gets through as expected

 

*user connects to http://www.1.site.test.com, irule 80 looks for www. strips the www. from header and redirect to https:// with correct header information, SSL kciks in and all is gravey.

 

*user connects to http://1.site.test.com gets through as expected

 

*user connects to https://www.1.site.test.com, fail as youe SSL cert is *.site.test.com (SSL error capture may help here, but i only just thought of that.)

 

 

 

443 VIP irule

 

 

when HTTP_REQUEST {

 

if {[HTTP::header value Host] contains "www."} {

 

set org_header [HTTP::header value Host]

 

set new_header [string range [HTTP::host] 4 end]

 

HTTP::header replace Host "$new_header"

 

}

 

}

 

 

80 VIP irule

 

when HTTP_REQUEST {

 

if {[HTTP::header value Host] contains "www."} {

 

set new_header [string range [HTTP::host] 4 end]

 

HTTP::redirect https://$new_header[HTTP::uri]

 

} else {

 

HTTP::redirect https://[HTTP::host][HTTP::uri]

 

}

 

}

 

 

If this makes no sense at least i havent hurt anyone, if it helps soemone sweet :D

 

 

Ferg

 

No RepliesBe the first to reply