Multiple Certs, One VIP: TLS Server Name Indication via iRules

An age old question that we’ve seen time and time again in the iRules forums here on DevCentral is “How can I use iRules to manage multiple SSL certs on one VIP"?”. The answer has always historically...
Published Apr 05, 2011
Version 1.0
adn
application delivery
availability
BIG-IP
code
dev
devops
disaster recovery
iRules
management
nemmank's avatar
nemmank
Icon for Nimbostratus rankNimbostratus
Sep 03, 2019

Wouldn't it be simpler to just see a code that just worked. I mean practically, dead simple. I have searched severally but every advise I get suggest adding multiple ssl profiles to the same VIP and let the VIP auto-select the best server ssl to use. I mean this is like completely handing off critical decision making to random sense. What if the server ssl are incorrectly selected and this leave room for difficult in pin-pointing the failure. I managed to put together few ideas and have an irule that really works, provides logging if the wrong ssl profile or nothing is selected. You need to prepare the fqdn or server IP:port pools to go with it though:

 

1) Create ephemeral Pools point to new fqdn or server IP:port pools

 

a) fqdn-a.new_fqdn_pool

b) fqdn-b.new_fqdn_pool

c) fqdn-c.new_fqdn_pool

d) fqdn-d.new_fqdn_pool

 

2) Create Server SSL profile for each of the new fqdn destination urls:

 

a) fqdn-a_serverssl

b) fqdn-b_serverssl

c) fqdn-c_serverssl

d) fqdn-d_serverssl

 

3) Create new iRule and attach to inbound VIP

when HTTP_REQUEST {

 

  # Inspect inbound host header and replace based on original url

  

  switch [HTTP::host] {

  "fqdn-a.original_fqdn" {

   set new_fqdn "fqdn-a.new_fqdn"

 set doSSL 1

 SSL::enable serverside

  }

  "fqdn-b.original_fqdn" {

   set new_fqdn "fqdn-b.new_fqdn"

 set doSSL 2

 SSL::enable serverside

  }

  "fqdn-c.original_fqdn" {

   set new_fqdn "fqdn-c.new_fqdn"

 set doSSL 3

 SSL::enable serverside

  }

  "fqdn-d.original_fqdn" {

   set new_fqdn "fqdn-d.new_fqdn"

 set doSSL 4

 SSL::enable serverside

  }

  default {

   log local0. "Inbound fqdn not known: [HTTP::host]"

 reject

  }

  }

 

  HTTP::header replace Host $new_fqdn

  pool ${new_fqdn}_pool

 

}

when SERVER_CONNECTED {

  #doSSL variable is checked and SSL disabled or profile selected

  if {$doSSL == 1} {

    SSL::profile fqdn-a_serverssl

log "Using Server SSL fqdn-a_serverssl"

  } elseif {$doSSL == 2} {

    SSL::profile fqdn-b_serverssl

log "Using Server SSL fqdn-b_serverssl"

  } elseif {$doSSL == 3} {

    SSL::profile fqdn-c_serverssl

log "Using Server SSL fqdn-c_serverssl"

  } elseif {$doSSL == 4} {

    SSL::profile fqdn-d_serverssl

log "Using Server SSL fqdn-d_serverssl"

  }

}