Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

VIP using two different URL and certificates

Thiago_Morais
Altostratus
Altostratus

‎03-Feb-2021 15:05

I have a scenario that the server team is asking to create a VS in the F5 that will be used by an external application to access an internal application using API. But in the scenario, there are some points to be considered.

 

1) the external application will use a specific URL and certificate https://url1.domain.com that will be configured in the F5 (VS Standard, Client SSL Profile and etc.)

 

2) the internal application is configured to use another URL and certificate https://url2.domain.com.

 

I will create a client SSL profile using the external certificate and a Server SSL Profile using the internal certificate.

 

In that case, I need to use an iRule to rewrite the HTTP Location on the HTTP header to match the same URL that is used by the internal application? I am not considering using a redirect.

 

Regards,

TM

Labels:
0 Kudos
6 REPLIES 6

Daniel_Wolf
MVP
MVP

‎04-Feb-2021 00:58

Hi Thiago,

 

I understand that you have one external hostname for your app and one internal. In your example url1.domain.com for external and url2.domain.com for internal.

And that you have different paths for internal and external. External might be /dirA/index.html, while internal might be /dirB/index.html.

So for users accessing the app via url1.domain.com you want to rewrite the HTTP::host and (partially) the HTTP:path so that they match the internal ones, right? That can be done with iRules or with LTM Traffic Policies. I find this picture handy to learn the terminology.

0691T00000BUw82QAD.png 

For the SSL bridging, 90% of the cases can be satisfied with the default serverssl profile, it is sufficient to establish a connection to a pool member using https. Unless you have requirements on the serverside, like SNI or SSL protocol, this serverssl profile will do.

 

Best of luck

Daniel

0 Kudos

Thiago_Morais
Altostratus
Altostratus
In response to Daniel_Wolf

‎04-Feb-2021 04:57

Hi Daniel,

 

Thank you for your reply.

 

I got more details about the request that the application will handle.

 

External URL: https://url1.domain.com:10002/coreService/services

Internal URL: https://url2.domain.com:10002/coreService/services

 

In that case, I am thinking to use an iRule to rewrite the HTTP::host from url1.domain.com to url2.domain.com in the HTTP_REQUEST and HTTP_RESPONSE?

 

What do you think about it?

 

Regards,

TM

0 Kudos

Daniel_Wolf
MVP
MVP
In response to Thiago_Morais

‎04-Feb-2021 10:11 - last edited on ‎04-Jun-2023 21:04 by Fog

Hi Thiago,

I would use a LTM Traffic Policy instead on an iRule and also I would pay attention if maybe you want to rewrite the Referer header too.

In a Traffic Policy you would do it like this (tmsh output)

ltm policy policy_route_url1.domain.com {
    controls { forwarding server-ssl }
    requires { http }
    rules {
        match_url1.domain.com {
            actions {
                0 {
                    http-host
                    replace
                    value url2.domain.com
                }
                1 {
                    http-referer
                    replace
                    value "tcl:[regsub -nocase {url1.domain.com} [HTTP::header Referer] {url2.domain.com}]"
                }
                2 {
                    forward
                    select
                    pool pool_url2.domain.com
                }
            }
            conditions {
                0 {
                    http-host
                    host
                    values { url1.domain.com }
                }
            }
        }
    status published
    strategy first-match
}

KR

Daniel

0 Kudos

Thiago_Morais
Altostratus
Altostratus
In response to Thiago_Morais

‎04-Feb-2021 15:54

Thanks, Daniel

 

The configuration is ready to be applied in the F5, after that, I'll let you know.

0 Kudos

Thiago_Morais
Altostratus
Altostratus
In response to Thiago_Morais

‎06-Feb-2021 19:00

Hi Daniel

 

I don't know how, but the external application gets access to the internal application through the Virtual Server, but I don't have to configure police or iRule. The Virtual Server was configured to Standard type, SSL Client Profile was configured to use the external certificate, and SSL Server Profile was configured to use the internal certificate. When I applied all configurations in the F5, in the first test, the access was done successfully.

0 Kudos

Daniel_Wolf
MVP
MVP
In response to Thiago_Morais

‎06-Feb-2021 22:52

Hi Thiago,

 

it's not a big surprise, to be honest. Standard Virtual, client and server SSL profile. It usually works.

What specific cert and key you use for the server SSL profile is not critical in most cases, therefore it works with the internal cert. Most likely the default serverssl profile would work too.

Also most modern apps do not require to rewrite host header and referer header.

So it's the final question, who came up with the requirements to do so? 🙂

Not for finger-pointing, but for explaining and knowing better next time.

 

KR

Daniel

 

0 Kudos
Copyright © 2023 Khoros, LLC