Forum Discussion

helm123_141710's avatar
helm123_141710
Icon for Nimbostratus rankNimbostratus
Jan 28, 2015

irule with different SSL profiles depending on the pool.

Converting another load balancing device to the F5 and have a question that I just can't seem to find the answer for. I have an HTTPS virtual server that going to load balance different pools based on the matches and some pools use different cert/key pairs (aka profiles). Below is a slight example that I have tried but it always fails on the profile part. There's actually many more matches in the irule that goes to many more pools with other SSL profiles.

 

when HTTP REQUEST {

 

switch -glob [HTTP::uri] {

 

"/external/lifts/docs" -

 

"/internal/sites" {

 

pool CompanyA

 

SSL::enable serverside

 

SSL::profile CompanyA

 

}

 

"/external/boats/docs" -

 

"/internal/states" {

 

pool CompanyB

 

SSL::enable serverside

 

SSL::profile CompanyB

 

}

 

}

 

}

 

12 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Quick thought, do you have a serverssl profile on the VIP? I understand it's a pre-req for serverssl switching.

     

    N

     

  • Hi Nathan,

     

    Yep have serverssl profile on the SSL Profile (Server) on the VIP. Transitioning from ACE modules/Appliances and you could assign different SSL profiles under the Load Balance policies and I'm hoping to do about the same thing.

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Stephen's right. Do you mean the server side connection or the client side? Is it the cert the bigip presents to the client or the server presents to the bigip?
    • helm123_141710's avatar
      helm123_141710
      Icon for Nimbostratus rankNimbostratus
      Hey Nathan, It's the cert the server presents to the bigip but it's actually 2-way ssl. Client connects to the vip one way ssl and then via the irule the bigip sets up a two way ssl connection to the real server.
  • Hi helm123,

     

    you can create multiple client-ssl profiles containing specific cert/key combinations and assign them all to the same virtual server.

     

    If the client supports SNI (server name indication; an extension available with SSL/TLS) the client provides in the hello an attribute containing the expected common name in the server certificate.

     

    This way the virtual server can pick the proper certificate and the client won´t throw an error message due to certificate mismatch.

     

    Thanks, Stephan

     

  • Hi helm123, the typical requirement would be to: - provide the expected certificate to the client during handshake - inspect http-payload (requires established SSL/TLS connection between client and virtual server) - make a forwarding decision (considering persistency) - re-encrypt http-payload before forwarding to selected real server (aka pool member) For SSL/TLS termination between client and virtual server the client-ssl profile(s) is/are relevant. For SSL/TLS communication between load balancer and real server the server-ssl profile(s) is/are relevant. The client-ssl profile(s) contain(s) the server certificate, private key and intermediate CA certificate provided to the client. The server-ssl profile(s) would contain client certificates to be provided to the real server (not required that often). Switching SSL profiles is supported before doing the SSL/TLS handshake, i.e. after the CLIENT_ACCEPTED event is fired (right after 3-way handshake). They cannot be changed, after the SSL/TLS connection was established to send a payload through the encrypted "tunnel". I hope this helps a bit regarding the F5 terminology. :) Thanks, Stephan
  • Thanks Stephen, Yep this is actually the SSL (2-way) connection from the F5 to the real servers. Actually have a decent number of pools inside the irule that are going to require different cert/key pairs (server ssl profiles) determined by the customers real servers. Started looking at some of the examples that showed the CLIENT_ACCEPTED setup that Google helped me find. Was able to get this irule configuration accepted when I hit update. when CLIENT_ACCEPTED { if { $doSSL == 1 }{ SSL::enable serverside SSL::profile CompanyA } elseif { $doSSL == 2 }{ SSL::enable serverside SSL::profile CompanyB } } when HTTP REQUEST { switch -glob [HTTP::uri] { "/external/lifts/docs" - "/internal/sites" { set doSSL 1 pool CompanyA } "/external/boats/docs" - "/internal/states" { set doSSL 2 pool CompanyB } } }
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    How about using SERVER_CONNECTED:

    When HTTP REQUEST { 
      switch -glob [HTTP::uri] {  
       "/external/lifts/docs" -  
       "/internal/sites" {    
         pool CompanyA  
      }
       "/external/boats/docs" -  
       "/internal/states" { 
          pool CompanyB  
      }
     }
    }
    
    when SERVER_CONNECTED { 
      switch [LB::server pool] { 
        CompanyA { 
        SSL::profile CompanyA 
      } 
        CompanyB {
            SSL::profile CompanyB 
      } 
     }  
    }
    

    See if that helps, not in front of my lab box to fully test syntax etc...

    N

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    sorry, syntax error:

    when HTTP_REQUEST { 
      switch -glob [HTTP::uri] {  
       "/external/lifts/docs" -  
       "/internal/sites" {    
         pool CompanyA  
      }
       "/external/boats/docs" -  
       "/internal/states" { 
          pool CompanyB  
      }
     }
    }
    
    when SERVER_CONNECTED { 
      switch [LB::server pool] { 
        CompanyA { 
        SSL::profile CompanyA 
      } 
        CompanyB {
            SSL::profile CompanyB 
      } 
     }  
    }
    
  • Should have replied back long ago that we got this working with the below.

     

    When HTTP REQUEST { switch -glob [HTTP::uri] {

     

    "/external/lifts/docs" -

     

    "/internal/sites" {

     

    pool CompanyA set doSSL 1 } "/external/boats/docs" -

     

    "/internal/states" { pool CompanyB set doSSL 2 } } } when SERVER_CONNECTED { if { $doSSL == 1 } { SSL::enable serverside SSL::profile SSL_2Way } elseif { $doSSL == 2 } { SSL::enable serverside SSL::profile SSL_1Way }

     

    }

     

    • helm123_141710's avatar
      helm123_141710
      Icon for Nimbostratus rankNimbostratus
      Should have replied back long ago that we got this working with the below. When HTTP REQUEST { switch -glob [HTTP::uri] { "/external/lifts/docs" - "/internal/sites" { pool CompanyA set doSSL 1 } "/external/boats/docs" - "/internal/states" { pool CompanyB set doSSL 2 } } } when SERVER_CONNECTED { if { $doSSL == 1 } { SSL::enable serverside SSL::profile SSL_2Way } elseif { $doSSL == 2 } { SSL::enable serverside SSL::profile SSL_1Way } }
  • Hi Guys,

     

    The Irule above is to encrypt the connection that goes to server and the client connection, do you have client ssl profile to decrypt the connection and the Irule to redirect the traffic to different pools, can you show the configuration?