This is for setting up multiple websites using ssl behind a single VIP on F5. It conserves the IP's on your Vlan because you do not have to create separate virtual servers for different websites.
The setup consists of node, client ssl profiles, pool, irule and virtual ip
Create a node where your sites are hosted.
Local Traffic > Nodes > Nodes List > Create
Local Traffic > Pools > Pool List > Create
Select Node list radio button and add the previously created node from the drop down.
Enter the service port as the port which your website is listening on.
Create clientssl profiles.
The process to create client profiles is documented here very nicely. So I won't elaborate on that.
For one of the profiles that you would add to your virtual server. Check advanced box and
check the option.
Default SSL Profile for SNI
Create Irules
Create the Irule for directing traffic to the pools. This Irule is using two different client ssl profiles.
Local Traffic > IRules > IRule List
Here is the text .
when HTTP_REQUEST
{
switch [string tolower [HTTP::host]] {
"testwebsite1" {
pool pool_website1
set sslprof "SSL::profile testwebsite1_clientssl"
}
"testwebsite2" {
pool pool_website2
set sslprof "SSL::profile testwebsite2_clientssl"
}
}
}
Create the virtual server
This virtual server will be the frontend for these websites.
Create the virtual server.
Loal Traffic > Virtual Servers > Virtual Server list
Change the HTTP profile section to http.
Asscociate the client ssl profiles with your virtual server.
Enable Address translation and Port translation. in the advanced section of the Virtual Server
Certificate needs to be assigned in the IIS website bindings.
Certificate should have the same common name as specified in the DNS or you would get an error as
the Irule can have some logging added to investigate.
#This will log the IP address of the incoming connection
when CLIENT_ACCEPTED {
log local0. "IP: [IP::client_addr]"
}
when HTTP_REQUEST
{
# log local0. "Requested hostname: [HTTP::host] from IP: [IP::local_addr]"
# set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
# log local0. "start ============================================="
# log local0. "$LogString (request)"
# foreach aHeader [HTTP::header names] {
# log local0. "$aHeader: [HTTP::header value $aHeader]"
# }
# log local0. "finish ============================================="
switch [string tolower [HTTP::host]]
{
"testwebsite1"
{
log local0. "=I am in stmt1 Pool:[LB::server]"
pool pool_website1
# HTTP::host [HTTP::host]:7000
set sslprof "SSL::profile testwebsite1_clientssl"
}
"testwebsite2" {
log local0. "=I am in stmt2 Pool:[LB::server]"
pool pool_website2
# set sslprof "SSL::profile testwebsite2_clientssl"
set sslprof "SSL::profile testwebsite2_May"
}
}
}
No comments:
Post a Comment