Forum Discussion

keith_varga_107's avatar
keith_varga_107
Icon for Nimbostratus rankNimbostratus
Aug 06, 2013

irule for ssl over multiple domains without browser warnings

Hello DevCentral Team,

 

We are trying to save on external IP addresses by using the F5 as a go-between for SSL requests. We already are doing this ok for port 80 requests using an irule and a datagroup.

 

We have 100s of customers in the field that all use their own unique domain names. We want to give them all one external IP that points to an https F5 virtual server that eventually steers them into the irule, finds their domain in the datagroup, and then points them to the internal IP of the ssl hosted IIS website.

 

 

The problem is that even if we put one of our certs onto the F5 virtual server, the customer will first get a browser warning when hitting the F5 since our cert will not match their domain.

 

So, we were hoping there might be a way to put all the customer certs onto the F5, and then somehow make this work without browser warnings. Perhaps we can use an irule command to find their cert on the F5 based on their domain name, and pass the traffic to the correct datagroup member that is bound to that cert?

 

 

Here is our current irule referencing the OPS_DEV datagroup:

 

when HTTP_REQUEST {

 

if { [class match [string tolower [HTTP::host]] contains OPS_DEV] } {

 

node [class match -value [string tolower [HTTP::host]] ends_with OPS_DEV]

 

} else {

 

HTTP::respond 200 content "no such service"

 

}

 

}

 

Thanks much,

 

Keith Varga

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 06, 2013
    There are at least THREE options:

     

     

    1. Wildcard certificates - this is probably the most expensive solution for most but easiest to manage. A single certificate that encompasses all subdomains (example: *.example.com).

     

     

    2. Subject Alternative Name (SAN) certificates - this is a little less expensive usually, but isn't as flexible if you need to add hosts later. A single certificate with multiple subject alternative name values. Some CA's limit the number of hosts you can add to a SAN certificate.

     

     

    3. Server Name Indicator (SNI) - this is an extension to the TLS protocol and is supported in BIG-IP version 11 and up. The idea is that a TLS-capable client will initiate an SSL session and add a "servername" value in its CLIENTHELLO message, and LTM can "switch" client SSL profiles based on that value. You would import all of the customers' certificates, create a client SSL profile for each, specify the certificate's subject name in the Server Name field of each client SSL profile, and then add ALL of these client SSL profiles to the same single virtual server. You can optionally specify a single "default" profile if the client is not TLS-capable.

     

     

    The rest of your HTTP-based iRule logic can remain the same.

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Aug 07, 2013
    Keep in mind that SNI is not compatible with any version of IE running on Windows XP.
  • keith_varga_107's avatar
    keith_varga_107
    Icon for Nimbostratus rankNimbostratus
    Aug 07, 2013
    Thanks both very much for the replies. That helped me out tremendously.

     

     

    thanks,

     

    Keith