Thursday, July 21, 2022

Multiple websites behind single VIP on F5.

This is for setting up multiple websites using ssl behind a single VIP on F5. It conserves the IP's on your Vlan because you do not have to create separate virtual servers for different websites.

The setup consists of node, client ssl profiles, pool, irule and virtual ip


Create a node where your sites are hosted.

Local Traffic > Nodes >  Nodes List > Create

Create a new pool.

Local Traffic > Pools >  Pool List > Create

Select Node list radio button and add the previously created node from the drop down.

Enter the service port as the port which your website is listening on.


 

Create clientssl profiles.

The process to create client profiles is documented here very nicely. So I won't elaborate on that.

https://clouddocs.f5.com/training/community/public-cloud/html/class05/module1/lab2.html#:~:text=Go%20to%20%E2%80%9CLocal%20Traffic%20%3E%20Profiles%20%3E%20SSL,Chain%2C%20select%20Custom%20check%20box%20and%20then%20Add.

For one of the profiles that you would add to your virtual server. Check advanced box and

 

check the option.

 

Default SSL Profile for SNI 



Create Irules

Create the Irule for directing traffic to the pools. This  Irule is using two different client ssl profiles.

 Local Traffic > IRules > IRule List

 

Here is the text .

when HTTP_REQUEST
{
 
  switch [string tolower [HTTP::host]]  {

                         "testwebsite1" {
                                               pool pool_website1
                                               set sslprof "SSL::profile testwebsite1_clientssl"                   
                                         }
                         "testwebsite2" {
                                               pool pool_website2
                                                set sslprof "SSL::profile testwebsite2_clientssl"   
                                        }
                      }



Create the virtual server 

This virtual server will be the frontend for these websites.

Create the virtual server.

Loal Traffic > Virtual Servers > Virtual Server list


Change the HTTP profile section to http.


Asscociate the  client ssl profiles with your virtual server.

 

 

 

Enable Address translation and Port translation. in the advanced section of the Virtual Server

 

Certificate needs to be assigned in the IIS website bindings.

 

Certificate should have the same common name as specified in the DNS or you would get an error as 

 

the Irule can have some logging added to investigate.

#This will log the IP address of the incoming connection
when CLIENT_ACCEPTED {
log local0. "IP: [IP::client_addr]"
}

when HTTP_REQUEST
 {
 #  log local0. "Requested hostname: [HTTP::host] from IP: [IP::local_addr]"
 #  set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
 #  log local0. "start ============================================="
 #  log local0. "$LogString (request)"
 #  foreach aHeader [HTTP::header names] {
 #     log local0. "$aHeader: [HTTP::header value $aHeader]"
 #  }
 #  log local0. "finish ============================================="

 

  switch [string tolower [HTTP::host]]
                           {
                         "testwebsite1"
                                       {
                                              log local0. "=I am in stmt1 Pool:[LB::server]"
                                               pool pool_website1
                                       #        HTTP::host [HTTP::host]:7000
                                               set sslprof "SSL::profile testwebsite1_clientssl"
                                       }
                         "testwebsite2" {
                                               log local0. "=I am in stmt2 Pool:[LB::server]"
                                               pool pool_website2
                                             #  set sslprof "SSL::profile testwebsite2_clientssl"   
                                              set sslprof "SSL::profile testwebsite2_May"
                                        }


                           }                
 }

 

 

No comments:

Post a Comment