Multiple HTTPS sites on a single IP

You can only have one IP:Port combination for a Virtual Server since the traffic wouldn't know which one to go to. You need to put all the SSL profiles on one Virtual Server.

And how would I proxy traffic for sub1 and sub2 to different backends?

You would need to write an iRule or create a local traffic policy to send traffic to different pools.

 

Here is a good example: https://devcentral.f5.com/s/feed/0D51T00006i7jYuSAI

 

You said "traffic wouldn't know which one to go to", but isn't that where SNI comes into play?

 

There's even an article saying that Prior to the introduction of SNI, the client could not establish secure connections to multiple virtual servers hosted on a single IP address. To me that sounds like with SNI support multiple virtual servers hosted on a single IP address has been made possible...

 

Source https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

 

You have two Virtual Servers based on this error message:

Virtual Server /Common/sub2 illegally shares destination address, source address, service port, ip-protocol, and vlan with Virtual Server /Common/sub1

The error message says that your trying to use the same IP address and port for both Virtual Servers. How would traffic know to go to Virtual Server A over Virtual Server B? SNI (as I understand it) is for matching a domain to a certificate so that multiple domains can be used for one Virtual Server. I don't think it has anything to do with routing in the sense of directing traffic for at least how I've used it.

In the end, a virtual server is a listener and just like you can't have two hosts with the same IP address on a network, due to the obvious IP conflict, you cannot have two Virtual Servers with the same IP address and Port. You can have the same IP address with a different port (i.e. 10.0.10.10:443 and 10.0.10.10:22).

I'm coming from NGINX, that's probably where my thinking goes wrong. On NGINX I just add another "server" listening on the same IP:port combination, but with a different "Server Name".

Thanks for the quick replies!

Hey Mischa

I'm sorry but it is a bit confusing.

Do you have a wildcard certificate? Meaning that certificate is issued for *.domain.com? In that case you only need to use a single Client SSL Profile where you have assigned the certificate.

Client SSL Profile

• Name: wildcard_domain_com
• Certificate: wildcard_domain_com.crt
• Key: wildcard_domain_com.key

Then you create one single virtual server, for instance:

Virtual Server

• VS Name: vs_wildcard_domain_com
• Destination IP: 10.0.0.1
• Service port: 443 HTTPS
• HTTP profile: http
• SSL Profile (Client): wildcard_domain_com
• Source Address Translation: Auto Map
• NO DEFAULT POOL

Pool 1

• Name: pool_sub1_domain_com
• Member: 172.16.1.10:80

Pool 2

• Name: pool_sub2_domain_com
• Member: 172.16.1.20:80

Now to the "tricky" part. In order to load balance to different pools you need an irule that will check the host header inside the HTTP request and load balance based on that. Luckily, there is an iRule created just for this named ProxyPassiRule. You can download it here:

ProxyPass v10/v11

Download this iRule and assign to the VS.

Then navigate to Local Traffic > iRules > Data Group List and create the following Data Group List:

• Name: ProxyPassvs_wildcard_domain_com
• Type: String

Then enter the following values:

Subdomain 1

• String: sub1.domain.com/
• Value: sub1.domain.com/ pool_sub1_domain_com

Subdomain 2

• String: sub2.domain.com/
• Value: sub2.domain.com/ pool_sub2_domain_com

This should give the results you're after.

And on another note, you do not need SNI for this because you are intercepting the SSL traffic by having a Client SSL Traffic. So the HTTP Host header will be readable by the BIG-IP.

SNI Load-balancing will only be needed when you have a HTTPS VS without a Client SSL Profile. Because in that case the HTTP Host Header will be encrypted. In that case we use the SNI which is part of the Client Hello in the SSL Handshake.

I hope this helps!