SNI Routing with BIG-IP
Hi Eric,
At least it means I was reading article with some understanding 🙂
I wonder if you can help with understanding LTP conditions evaluation. I am trying to setup VS on both 80 and 443 ports (as you know possible in v 14.1+). When dst port is 80 I am disabling Client SSL profile at client accepted (separate policy). Then I am checking Host header to make forwarding decision. So far so good. Then when port is 443 I am not disabling Client SSL and trying to check SNI at SSL Client Hello - now everything breaks for port 80 - immediate TCP RST. It looks like even if traffic is not matching port condition LTM is still trying to check SSL Extension - and this is not present in HTTP request, so no target is selected and there is failure. At the same time traffic to port 443 works without issue.
If only port 443 is in conditions then both HTTP and HTTPS works.
Here is LTP I tried to use:
ltm policy vh-04_ltp {
controls { forwarding server-ssl }
last-modified 2019-02-19:16:47:48
requires { http tcp client-ssl }
rules {
nothing-matched_r {
actions {
0 {
log
write
facility local0
message "No rule was matched"
priority info
}
}
ordinal 3
}
site41-http-https_r {
actions {
0 {
log
write
facility local0
message "site41-http-https hit"
priority info
}
1 {
forward
select
pool site41-443_pl
}
2 {
tcl
set-variable
expression site41-http-https.f5demo.com
name host_ltp
}
}
conditions {
0 {
http-host
host
values { site41-http-https.vlab.f5demo.com }
}
1 {
tcp
client-accepted
port
local
values { 80 }
}
}
ordinal 1
}
site41-http-to-http_r {
actions {
0 {
forward
select
pool site41-80_pl
}
1 {
server-ssl
disable
}
2 {
log
write
facility local0
message "site41-http-http hit"
priority info
}
}
conditions {
0 {
http-host
host
values { site41-http-http.vlab.f5demo.com }
}
1 {
tcp
client-accepted
port
local
values { 80 }
}
}
}
site41-https-https_r {
actions {
0 {
log
write
facility local0
message "site41-https-https HIT"
priority info
}
1 {
forward
select
pool site41-443_pl
}
2 {
tcl
set-variable
expression site41-https-https.f5demo.com
name host_ltp
}
}
conditions {
0 {
tcp
client-accepted
port
local
values { 443 }
}
1 {
ssl-extension
ssl-client-hello
server-name
values { site41-https-https.vlab.f5demo.com }
missing
}
}
ordinal 2
}
}
status published
strategy first-match
}
I know how to do that other way, I am just curious why SSL Extension condition is breaking HTTP part.
Piotr