keith_varga_107
Aug 06, 2013Nimbostratus
irule for ssl over multiple domains without browser warnings
Hello DevCentral Team,
We are trying to save on external IP addresses by using the F5 as a go-between for SSL requests. We already are doing this ok for port 80 requests using an irule and a datagroup.
We have 100s of customers in the field that all use their own unique domain names. We want to give them all one external IP that points to an https F5 virtual server that eventually steers them into the irule, finds their domain in the datagroup, and then points them to the internal IP of the ssl hosted IIS website.
The problem is that even if we put one of our certs onto the F5 virtual server, the customer will first get a browser warning when hitting the F5 since our cert will not match their domain.
So, we were hoping there might be a way to put all the customer certs onto the F5, and then somehow make this work without browser warnings. Perhaps we can use an irule command to find their cert on the F5 based on their domain name, and pass the traffic to the correct datagroup member that is bound to that cert?
Here is our current irule referencing the OPS_DEV datagroup:
when HTTP_REQUEST {
if { [class match [string tolower [HTTP::host]] contains OPS_DEV] } {
node [class match -value [string tolower [HTTP::host]] ends_with OPS_DEV]
} else {
HTTP::respond 200 content "no such service"
}
}
Thanks much,
Keith Varga