* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

* Podcasts
* Social Channels
* Video Streaming

 

 

 

 

 

ABOUT DEVCENTRAL

DevCentral News Technical Forum Technical Articles Technical CrowdSRC Community Guidelines DevCentral EULA Get a Developer Lab License Become a DevCentral MVP

RESOURCES

Product Documentation White Papers Glossary Customer Stories Webinars Free Online Courses F5 Certification LearnF5 Training

SUPPORT

Manage Subscriptions Professional Services Professional Services Create a Service Request Software Downloads Support Portal

PARTNERS

Find a Reseller Partner Technology Alliances Become an F5 Partner Login to Partner Central

---

©2024 F5, Inc. All rights reserved.

Would any know how I can incorporate these 2 iRules into one or can they be ran independently and both iRules are utilized on the same VIP? 

My scenario, if a connection comes in for a particular client we would like to present that client with a particular cert we have defined, once that check is completed the traffic would then proceed to path based routing irule.

Referring to this article for TLS SNI https://support.f5.com/csp/article/K13452

This code is for TLS SNI 

when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] \":\" 1]
}
when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
    \"siteA.com\" {
        SSL::profile serverssl-siteA
    }
    \"siteB.com\" {
        SSL::profile serverssl-siteB
    }
  default {
#default serversssl profile to be selected if Host header value cannot be matched with predefined values
    SSL::profile serverssl
  }
}
}

AND

when HTTP_REQUEST {
switch -glob -- [string tolower [HTTP::uri]] {
\"/test*\" -
\"/test2.php*\" -
\"/tt/*\" -
\"/aa/*\" -
\"*/example/*\"  {
pool pool-A
}
default {
pool pool-B
}
}
}

Would any know how I can incorporate these 2 iRules into one or can they be ran independently and both iRules are utilized on the same VIP? 

My scenario, if a connection comes in for a particular client we would like to present that client with a particular cert we have defined, once that check is completed the traffic would then proceed to path based routing irule.

Referring to this article for TLS SNI https://support.f5.com/csp/article/K13452

This code is for TLS SNI 

when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] \":\" 1]
}
when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
    \"siteA.com\" {
        SSL::profile serverssl-siteA
    }
    \"siteB.com\" {
        SSL::profile serverssl-siteB
    }
  default {
#default serversssl profile to be selected if Host header value cannot be matched with predefined values
    SSL::profile serverssl
  }
}
}

AND

when HTTP_REQUEST {
switch -glob -- [string tolower [HTTP::uri]] {
\"/test*\" -
\"/test2.php*\" -
\"/tt/*\" -
\"/aa/*\" -
\"*/example/*\"  {
pool pool-A
}
default {
pool pool-B
}
}
}

The F5 Certification is excited to announce that all five of the NEW F5 Certified BIG-IP Administrator Certification (F5 CAB) exams are now live and available to schedule via the new Education Services Portal.

Hello, I think you should be able to run both iRules on same VIP wihout issues, since there's no overlap/conflict in their purpose.

Keep in mind instructions in HTTP_REQUEST event will always be performed before istructions in SERVER_CONNECTED event. This thread contains an excellent flowchart that shows in what order events are triggered. 

Thank you CA_Valli.

I put the iRule in place within the VIP. However I am still just presented with the 1 cert that is assigned with the sslclient profile of the VIP. I tried adding the second cert to the VIP however I received a warning/error msg : 0107149c:3: Virtual server /Common/xxxxxxx has more than one clientssl/serverssl profile but none of them is default for SNI. 

Am I supposed to have them both listed within the Virtual Server profile in order for the irule to be able to call them? 

when HTTP_REQUEST {
set hostname [getfield [HTTP::host] \":\" 1]
}
when SERVER_CONNECTED {
switch -glob [string tolower $hostname] {
\"*.client1.com\" {
SSL::profile ssl-CLIENT1
}
\"*.client2.local\" {
SSL::profile ssl-CLIENT2
}
default {
#default serversssl profile to be selected if Host header value cannot be matched with predefined values
SSL::profile ssl-CLIENT1
}
}
}

Hi, 

that would be correct, if you configure more than one SSL profile in virtual server you need to specify one and only one of them to be sni/default (the certificate Common Name will be presented to any SNI received which hasn't a best match with other profiles), and specify service name --which can be a wildcard match-- on all other profiles.

Also, I've just noticed you're referencing \"client\" profiles, however your iRule triggers on a Server-Side event (TCP connection on selected pool member). Do you need a specific certificate on client or server side? 

Lastly .. if the iRule purpose is only to achieve SNI support, you should be able to configure it without requiring an iRule (also, it will be about 20% more efficient on performance). You just need to select the specific checkboxes in clientSSL/serverSSL profile list. Make sure all of the profiles you use support the same ciphers sets. 

Check links below:

SNI support on clientSSL profiles (very likely what you're missing and why you see that error log)  

SSL cheatsheet

Also, this whitepaper has some pretty good considerations, it helped me last year to achieve a similar scenario. 

Hi

F5 made documents relate to this situation

if you must need irule, you need configure sni check ssl profile 

https://community.f5.com/t5/technical-articles/sni-routing-with-big-ip/ta-p/282018

---

viziony wrote: ChoiceADVANTAGE

Would any know how I can incorporate these 2 iRules into one or can they be ran independently and both iRules are utilized on the same VIP? 

My scenario, if a connection comes in for a particular client we would like to present that client with a particular cert we have defined, once that check is completed the traffic would then proceed to path based routing irule.

Referring to this article for TLS SNI https://support.f5.com/csp/article/K13452

This code is for TLS SNI 

when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] \":\" 1]
}
when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
    \"siteA.com\" {
        SSL::profile serverssl-siteA
    }
    \"siteB.com\" {
        SSL::profile serverssl-siteB
    }
  default {
#default serversssl profile to be selected if Host header value cannot be matched with predefined values
    SSL::profile serverssl
  }
}
}

AND

when HTTP_REQUEST {
switch -glob -- [string tolower [HTTP::uri]] {
\"/test*\" -
\"/test2.php*\" -
\"/tt/*\" -
\"/aa/*\" -
\"*/example/*\"  {
pool pool-A
}
default {
pool pool-B
}
}
}

 

 

---

I tried adding the second cert to the VIP however I received a warning/error msg : 0107149c:3: Virtual server /Common/xxxxxxx has more than one clientssl/serverssl profile but none of them is default for SNI.