Forum Discussion

Allan_ivari_304's avatar
Allan_ivari_304
Icon for Nimbostratus rankNimbostratus
Nov 02, 2018

use irule to force SSL profile based on URL

i am new to F5, and this question maybe very basic. thanks in advance for whoever is helping. 🙂

my situation is: we have 2 web server using same VIP base on different URL, i am pointing them different pool. since they also use different SSL profile (both client side and server side) i want to use irule to assign them different SSL profile base on URL

not sure if is it do able, if so, how?

below is what i have so far:

when HTTP_REQUEST {
  switch [string tolower [HTTP::host]] {
    "a.webone.com" { 
      pool a.webone.com
    }
    "b.webtwo.com" {
      pool b.webtwo.com
    }
   default {
      log local0. "Unknown host to switch: [HTTP::host]"
    }
  }
}

5 Replies

  • https://support.f5.com/csp/article/K13452

    Well, yes. The easiest way to support different client side certificates is to use SNI switching. You create multiple client SSL profiles, each with a different Server Name attribute (that should match the defined certificate CN or SAN), and then include all of the client SSL profiles in a single VIP. Based on the SNI value in the client's ClientHello TLS handshake message, the BIG-IP will switch between the client SSL profiles.

    Swapping the server side SSL profile is also pretty straight forward. You'd just add the

    SSL::profile [profile_name]
    

    command to an iRule event. Ref: https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx, and you can even do this in a CPM policy.

    But keep in mind for client-side SNI switching, the client SSL profiles all have to be identical, except for the Server Name attribute and cert/key. If you actually need different types of client SSL profiles (like with different ciphers, or client authentication), the you'd have to parse the binary SNI value from the TCP payload. There's plenty of examples of that here, so not terribly difficult.

  • Hi Kevin,

     

    Would you please provide a link for doing this:

     

    "If you actually need different types of client SSL profiles (like with different ciphers, or client authentication), the you'd have to parse the binary SNI value from the TCP payload. There's plenty of examples of that here, so not terribly difficult."

     

    I'm new to F5 and I need this:

     

    https://domain.com/Customer1/ ---> !AES:!DES...

     

    https://domain.com/Customer2/ ----> !TLS1:!TLS1_1:!RSA:!AES:DES

     

    Regads,