Forum Discussion

Dan_Howard's avatar
Dan_Howard
Icon for Nimbostratus rankNimbostratus
Jun 03, 2019

iRule to select different access profile based upon host header?

As the title states, I am looking for an iRule to select a different access profile based upon host header. In our current environment we configure VIPs with a specific access profile using SAML (Big...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Jun 03, 2019

You can only apply one access profile per virtual sever, so you will have to use layered virtual servers.

For example, having one Virtual Server, acting as a broker, then use an iRule to select the virtual server, with the associated access policy based on the required host header

This can be done using a simple switch statement, but does need to have multiple Virtual Servers.

when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "www.site1.com" {
            virtual site1_vs
        }
        "www.site2.com" {
            virtual site2_vs
        }
        "www.site3.com" {
            virtual site3_vs
        }
}
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jun 04, 2019

    I agree With layered virtual server...

     

    but routing based on http event requires ssl profile assigned to front virtual server...

     

    APM can require ssl profile assigned to the 2nd virtual server :

    • client cert authentication
    • multi domain sso
    • ...

     

    so to make it work, you can use layered virtual servers based on TLS SNI extension which is same value as HTTP host header in real browser connection

     

    look at this article

     

    https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348