Forum Discussion

Shazee's avatar
Shazee
Icon for Altocumulus rankAltocumulus
Aug 17, 2021

Use different Client SSL profile for https traffic with same domain and different URI.

I have configured a virtual server to accept HTTPS from the public network.

Perform a TLS MA on HTTPS traffic, then does a host header rewrite and assigns it to a pool.

Example: https://myorg.com/ver1uri.

Now I have got an additional requirement,

We have got a different URL for version2, https://myorg.com/ver2uri.

Traffic from the same new URL with version2 URI also needs to land on the same vs and perform TLS-MA on the traffic and also a host header rewrite.

the issue here is, version2 URI uses a different set of cert signed by diff CA,

 

Basically, I need to split the HTTPS traffic based on URI.

but since the URI will be encrypted and can be checked only after the off lad.

Can someone help me to guide this, please?

 

I believe, we can make LTM policies to split the traffic based on URI. But again since the URI is encrypted, will that work?

 

https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html

 

 

 

application delivery
cloud
iRules
LTM

3 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Aug 17, 2021

    Hi , 

    try this iRule, I think it should work. 

    when SERVER_CONNECTED {
    if { [HTTP::uri] starts_with "/abc" } {
        SSL::profile serverssl_profile1
    } elseif { [HTTP::uri] starts_with "/xyz" } {
        SSL::profile serverssl_profile2
    } elseif { [HTTP::uri] starts_with "/lalala" } {
        SSL::profile serverssl_profile3
    } else {
        # default
        # SSL::disable
    }
    
}

    KR

    Daniel

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Aug 17, 2021

      Sorry, please ignore my above response. I misunderstood your requirement, I understood it like mTLS on the serverside.

       

      I think your requirement cannot be satisfied. First TLS handshake happens, then HTTP URI is inspected. I would not know how to turn this process around.

  • Shazee's avatar
    Shazee
    Icon for Altocumulus rankAltocumulus
    Aug 18, 2021

      Thank you for the response,

    Yes, this URI part being a layer7 and cannot be read by F5 until the TLS MA completes, we have to think of a different way to achieve this