Change server SSL profile based on HTTP content
I have a single Virtual Server which provides internal to external access for a specific set of FQDNs (and nothing else).
It is a wildcard VS which accepts traffic destined to the actual external IPs. The VS does not perform destination IP/port translation (but source IP is SNATed) - i.e. traffic arrives at VS by:
- Client does DNS lookup and gets external 'real' IP
- Client establishes connection to this IP - but traffic actually directed to, and picked up by, F5 wildcard VS
VS has a pool with only 1 member, which is an upstream device that transports traffic to the internet (F5 basically uses pool member to get layer 2 MAC to forward the traffic to, but the layer 3 IP addressing of the traffic remains as that originally received, i.e. the actual external server IPs).
Each FQDN has its own specific Server SSL profile, which is assigned by iRule (based on client presented SNI).
This has all been working OK for a long time.
There is now a requirement that a couple of the FQDNs will need different server SSL profiles based on content within the HTTP request. It is possible that a single incoming TCP connection to the VS could contain HTTP requests which are to be handled differently, e.g.
HTTP Header X = A Server connection should use SSL profile A
HTTP Header X = B Server connection should use SSL profile B
The problem here is that you can't just set up a server connection based on the initial HTTP Header X received on a new clientside connection to the VS. It is posible that different HTTP requests could then come across that single client TCP stream each requiring a different Server SSL profile (choice of two, A or B).
My question is can anyone suggest how this can be accomplished without having to change anything on the clientside?
I have set something up which on first inspection appears to work in a 'lab' (i.e. PC running VMWare and LTM VE :-). I don't want to describe it just yet in case what I have done isn't the best solution (or maybe wouldn't even work properly in a real world setting with lots of load). At this point I am just looking for ideas of how other's might approach this, and don't want to influence anyone's ideas by describing my first attempt :-)
So any ideas??? Please ask any questions as needed to help clarify the ask :-)