cancel
Showing results for 
Search instead for 
Did you mean: 

Use different Client SSL profile for https traffic with same domain and different URI.

Shazee
Altocumulus
Altocumulus

I have configured a virtual server to accept HTTPS from the public network.

Perform a TLS MA on HTTPS traffic, then does a host header rewrite and assigns it to a pool.

Example: https://myorg.com/ver1uri.

Now I have got an additional requirement,

We have got a different URL for version2, https://myorg.com/ver2uri.

Traffic from the same new URL with version2 URI also needs to land on the same vs and perform TLS-MA on the traffic and also a host header rewrite.

the issue here is, version2 URI uses a different set of cert signed by diff CA,

 

Basically, I need to split the HTTPS traffic based on URI.

but since the URI will be encrypted and can be checked only after the off lad.

Can someone help me to guide this, please?

 

I believe, we can make LTM policies to split the traffic based on URI. But again since the URI is encrypted, will that work?

 

https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html

 

 

 

3 REPLIES 3

Hi , 

 

try this iRule, I think it should work.

when SERVER_CONNECTED { if { [HTTP::uri] starts_with "/abc" } { SSL::profile serverssl_profile1 } elseif { [HTTP::uri] starts_with "/xyz" } { SSL::profile serverssl_profile2 } elseif { [HTTP::uri] starts_with "/lalala" } { SSL::profile serverssl_profile3 } else { # default # SSL::disable } }

KR

Daniel

Sorry, please ignore my above response. I misunderstood your requirement, I understood it like mTLS on the serverside.

 

I think your requirement cannot be satisfied. First TLS handshake happens, then HTTP URI is inspected. I would not know how to turn this process around.

Shazee
Altocumulus
Altocumulus

  Thank you for the response,

Yes, this URI part being a layer7 and cannot be read by F5 until the TLS MA completes, we have to think of a different way to achieve this