HOW TO ASSOCIATE TWO SSL PROFILES TO A VIRTUAL SERVER

Hi Maria,

 

 

you can use irule to bind a single virtual with 2 ssl profile using SSL::profile command. Below is one of the example, happy trying.

 

 

when HTTP_REQUEST {

 

if { [HTTP::host] contains "ahorron.com" } {

 

SSL::profile ahorron_profile

 

}

 

elseif { [HTTP::host ] contains "test.com"} {

 

SSL::profile test_profile

 

}

 

}

 

 

regards,

Maria:

 

 

If the traffic comes in on port 80 first, you could issue an HTTPS redirect to two different VIPS based on the URL domain.

 

 

I don't beleive a single VIP can be used to accomodate SSL offloading for two different certificates. The packets are encrypted with only the TCP header available for inspection until the data is unencrypted by using an SSL profile. At that point, it's two late to switch SSL profiles as one has already been applied.

 

 

Dave

Thank you very much for your answers.

 

 

I understand your explanation. I will try to create a vs on port 80 and then try to make a switch (depending on the SSL CERTIFICATE), in order to use a virtual server (with *.ahorro.com ssl profile) or the other virtual server (with *.test.com certificate).

 

 

Regards

Thanks!!

 

 

I will try with this iRule. If this works, it could be great, because it is easy to implement!! I will inform you with the results.

 

 

Thanks again and regards,

 

María

Posted By kky on 2/04/2007 6:00 AM

 

 

Hi Maria,

 

 

you can use irule to bind a single virtual with 2 ssl profile using SSL::profile command. Below is one of the example, happy trying.

 

 

when HTTP_REQUEST {

 

if { [HTTP::host] contains "ahorron.com" } {

 

SSL::profile ahorron_profile

 

}

 

elseif { [HTTP::host ] contains "test.com"} {

 

SSL::profile test_profile

 

}

 

}

 

 

regards,

 

 

 

This won't work. SSL::profile isn't available in an HTTP_REQUEST context. By the time you get to the completed HTTP_REQUEST, the profile has already been selected.

 

 

SSL::profile is available in CONNECTION_ACCEPTED and other contexts, but the HTTP::* stuff isn't. It's a bit of a chicken and egg problem.

 

 

You need the hostname to help select the profile, but you can't select the profile after you get the hostname.

 

 

I'm working on this exact same issue right now. I don't know that it's solvable via the current iRule implementation, but I would think this is a common enough issue for F5 to address.

 

 

We run a lot of websites off of one VIP, using name based configurations. We can't provide true SSL for those websites until this is resolved.