Forum Discussion

Devost24's avatar
Devost24
Icon for Nimbostratus rankNimbostratus
May 24, 2020

Multiple reverse proxy with multiple ssl profile

I have this user case:

 

1 IP to nat 80, 443 to outside internet

 

2 domain:

 

- dom1.com with dom1.com-ssl cert profile (wildcard) and app1.dom1.com, app2.dom1.com

 

- dom2.com with dom2.com-ssl cert profile (wildcard) and app1.dom2.com, app2.dom2.com

 

1 F5 VPN server with domain vpn.dom1.com use ssl cert profile same as dom1.com (created by f5 wizard)

 

================================================

 

I want to implement as this:

 

From the internet when user need access vpn they goto https://vpn.dom1.com and it use dom1.com-ssl cert profile

 

access https://app1.dom1.com, https://app2.dom1.com use dom1.com-ssl cert profile

 

access https://app1.dom2.com, https://app2.dom2.com use dom2.com-ssl cert profile

 

================================================

 

To archive this purpose i did this:

 

Create VS1 80 redirect all incomming traffic to HTTPS

 

on VS1 443 i config no ssl profile and add iRule:

 

****************************

 

when HTTP_REQUEST {

 

  switch -glob [string tolower [HTTP::host]] {

 

      "*.dom1.com"     {virtual dom1.com-VS}

 

      "*.dom2.com"    {virtual dom2.com-VS}

 

      "vpn.dom1.com"        {virtual vpn-F5-VS}

 

  }

 

}

 

****************************

 

with the hope this VS1 act as reverse proxy, forward traffic that host contain "dom1.com" to dom1.com-VS (VS2), "dom2.com" to dom3.com-VS (VS3), and "vpn.dom1.com" to virtual server created by F5 wizard.

 

on VS2 and VS3 i add ssl profile + config to act as reverse proxy to redirect traffic to appropriate pool or virtual server. If i connect directly to VS2, VS3 or VPN VS everything work fine.

 

But if i connect through VS1 NOTHING WORK, the browser said "Secure Connection Failed An error occurred during a connection to app1.dom1.comm. PR_CONNECT_RESET_ERROR" or "can't reach this page The connection was reset."

 

I tried to add ssl profile to VS1 but still not working.

 I check /var/log/ltm it say nothing

Anyone have an ideal? Thank you

 

1 Reply

  • Hello,

    You need to configure all client SSL profile for related domains on VS-1 443 Virtual server.​ Once proper SSL profiles are configured, SSL handshake between client and VS-1 will happen. If post handshake also there is problem then you need to check your iRule is working or not. You can check hits on other VS and see if there are hits.

    NOTE- As you have multiple domains on same VS, you need to configure all SSL profiles on VS-1 with SNI.

    Hope it helps!

    Mayur​