Forum Discussion

amass87_221296's avatar
amass87_221296
Icon for Nimbostratus rankNimbostratus
Apr 15, 2017

Redirect Options for retired hostname using SSL

So, I am trying to tackle an interesting problem. I have a legacy domain with a certificate that I am trying to retire. I have a new domain, new hostname, new certificate, and separate Virtual Server setup. However, I have no control over users on the Internet with saved links. The URLs referencing this hostname on the legacy domain, have long since been removed from publication. Just looking today, there were still more than 100 active connections. I can perform a redirect, assuming I can un-encrypt the traffic. However, I have a need to retire the associated certificate.

 

hostname.olddomain.com = VS-1:443

 

hostname.newdomain.com = VS-2:443

 

Is there any way to process traffic on port 443 without performing a certificate exchange, so that the user will send their request in a way that I can redirect them without having to un-encrypt the traffic?

 

Would it be possible to use NAT in some fashion to force the user to a Virtual Server listening on port 80, or will that break due to the https:// in the URL?

 

I fear that there is no way to solve this problem and I am forced to renew this certificate for another year.

 

301 redirect
application delivery
certificate
change hostname
client ssl profile
iRules
LTM
security

2 Replies

Sort By
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Apr 15, 2017

    Cool. Already you said 1st option to renew cert & redirect old url to new, So browser cache will store. Flash user to update bookmark.

     

    2nd option is to Create alias of "hostname.olddomain.com" in New URL "hostname.newdomain.com" in DNS Level and assign SAN certificate name of both URL. Traffic impact will be less.

     

    How To Generate SAN - https://support.f5.com/csp/article/K13471

     

    In 2nd option your OLD URL(hostname.olddomain.com) IP will be free & all others resources can be utilized in other application.

     

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Apr 15, 2017

    Is there any way to process traffic on port 443 without performing a certificate exchange, so that the user will send their request in a way that I can redirect them without having to un-encrypt the traffic?

    Their is no way to achieve this without a certificate. When the client types https:// the browser is expecting an SSL conversation after the session is established. Anything else will throw an error. You even can't do a redirect until after the SSL has been established as the F5 cannot read the traffic until that happens. 

    HTTP::respond 301 Location "https://my new page"

    Given the above you can trigger a 301 permanent redirect. This means the users browser should cache it and automatically use it the next time the bookmark is used. You may want to check in the new site that customers are coming from the old site page (see Referrer header) and put up a page/or message that the user should update their bookmarks to the new site.