Nimbostratus
MVPHi alokjhafb,
HTTP communication and the underlying TLS/SSL communication are completely distinct from each other.
The clientside connection may request (via Server Name Indication) a certificate for but then may request a page using the HOST-name of .
The F5 may establish a serverside SSL connection to a pool member and then check if a specific CNAME / DNS Name is present in the received certificate. But right after the the F5 can still forward requests for a completely different HOST-name.
This is an intended default behavior. But feel free to overwrite this behavior by using handcrafted iRules and/or LTM Policies to filter out requests for unknown HOST-names as well as selecting the right Pools and matching Server_SSL_Profiles based on the requested HOST-names.
Example iRule:
when HTTP_REQUEST {
set low_host [string tolower [HTTP::host]]
if { $low_host eq "www.domain.net" } then {
pool "Pool_www.domain.net"
set server_ssl "/Common/SRV_SSL_www.domain.net"
} elseif { $low_host eq "www.domain.com" } then {
pool Pool_www.domain.com
set server_ssl "/Common/SRV_SSL_www.domain.com"
} else {
Unknown HOST-name requested
HTTP::respond 502 content "Bad Gateway: Unknown HOSTNAME requested" "Content-Type" "text/html" "Connection" "close"
TCP::close
}
}
when SERVER_CONNECTED {
SSL::profile $server_ssl
}
Cheers, Kai