Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Help with SNI not being passed to pool servers

I think my problem is a missing check box somewhere, but I can't figure out where it is.

I'm running a BigIP, v11.6, in a test environment before we migrate to it in production.

Our requirements are for a fully SSL encrypted connection end to end, and as such I have the BigIP configured to terminate SSL on device, and then re-establish a SSL tunnel to the pool members. I'm using SNAT auto map, I've configured a cookie persistence profile as well as a HTTP profile to insert X-Forwarded-For.

All the above is working fine, until I add SNI into the mix.

Our production environment uses over 20 web sites sharing a single IP using SNI and a combination of wildcard and non-wildcard certificates, all accessible via SNI and host headers. When I migrate my test server to require SNI, the the connection is established to the BigIP, SNI is resolved and the correct certificate is presented to the client, however the pool servers are not being contacted correctly by the BigIP and they are not responding.

I've searched through the forums and I don't really see anything applicable, but I admit I'm new with BigIP and I feel like I'm incorrectly using a term or missing a checkbox somewhere.

Can someone point me in the right direction, or link me to where I should have found the answer before I posted?

Thanks in advance!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I haven't tried this, but just poking around, are you using the SSL Forward Proxy feature in your SSL Profile? Implementing SSL Forward Proxy on a Single BIG-IP System says it supports SNI.

0
Comments on this Answer
Comment made 21-Oct-2015 by Michael Waldron 76
I read through that link and I'm not sure it's what we're looking for. It appears that SSL Forward Proxy recreates certificates, and we already have created and assigned certificates for our servers. I ran through the instructions and tried it anyway just to be sure, but it also did not allow the server to answer a request.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.

0
Comments on this Answer
Comment made 21-Oct-2015 by Michael Waldron 76
This appears to be the right path. I found under Advanced configuration in the SSL Server profile where I could specify a server name, and after doing that the first of my test sites is working. I still have to verify it for multiple sites and multiple domain names, but things are looking up. I'll report back with my final results.
0
Comment made 21-Oct-2015 by Brad Parker 4475
If it doesn't work with multiple sites you may have to use an iRule for the server SSL profile selection. This could do that assuming you name you server SSL profiles (hostname)_serverSSL and apply a default server SSL profile to the VIP with no SNI configured in it. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } }
0
Comment made 21-Oct-2015 by Michael Waldron 76
Ok, this got me a bit closer, but now I'm running into the following: When I attempted to add a 2nd server SSL profile to my virutal server, I was told I needed a default SNI profile. So I created a default profile (a copy of serverssl with the only modification being the default option checked) and after applying that to the virtual server I could not access either test site. I removed the default profile, and selected Test1 as default. I was then able to access the test1 site via the virtual server, but not test2. If I change the profiles to make Test2 the default, I can access it but not Test1. The non-default server returns a 400 - Bad Request Invalid Hostname.
0
Comment made 21-Oct-2015 by Brad Parker 4475
sounds like you will have to use an iRule for the server SSL profile selection like I mentioned above.
0
Comment made 21-Oct-2015 by Michael Waldron 76
Yep, I hadn't seen your post when I made mine. I'm going to look into the iRule tomorrow. I've not done anything with them before so much like the rest of this deployment, this will be a learning experience.
0
Comment made 22-Oct-2015 by Michael Waldron 76
When I attempt to add the above iRule I'm given the following error: error: /Common/ssl_sni_forward:5: error: [command is not valid in current event context (SERVER_CONNECTED)][HTTP::host] Any ideas?
0
Comment made 22-Oct-2015 by Brad Parker 4475
Well that's dumb that its not available in server connected. This should work and do the same thing. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::header "HOST"] ":" 1]]_serverSSL" } }
0
Comment made 22-Oct-2015 by Michael Waldron 76
When I apply the iRule it requires that I use the fasthttp profile, which doesn't appear to allow HTTPS connections.
0
Comment made 22-Oct-2015 by Brad Parker 4475
it should not require a fasthttp, it will require an HTTP profile which is allowed with a clientssl profile.
0
Comment made 22-Oct-2015 by Michael Waldron 76
01070394:3: HTTP::header in rule (/Common/ssl_sni_forward) requires an associated FASTHTTP profile on the virtual server (/Common/Test-IIS-HTTPS).
0
Comment made 22-Oct-2015 by Brad Parker 4475
That's very odd, not sure why its wanting a fasthttp. This should do the trick, just not not as "pretty". when HTTP_REQUEST { set serverSSL "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } when SERVER_CONNECTED { catch { SSL::profile $serverSSL } }
0
Comment made 02-Nov-2015 by Michael Waldron 76
Just wanted to post a followup to say that this 2-part solution got me going. Thanks Brad! I have one followup question though. Is there a way to change the server name attribute in an server ssl profile from iRule? Something like when SERVER_CONNECTED { $serverSSL->serverName.set [string tolower [getfield [HTTP::host] ":" 1]] catch { SSL::profile $serverSSL } }
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi. I'm reviving this thread hoping to find a definitive answer to the same problem. Is this configuration supported without an iRule? Here is the setup:

  • 1 VS => Https pool => 2 servers port 443
  • I created a base default sni profile defaultsniclient and a base default sni server profile defaultsniserver
  • I created two clients profiles based on the client sni profile with the right certs.
  • I created two server profiles based on the server sni profile with the right certs.

profile 1 has sni entry app1.domain.com profile 1 has sni entry app2.domain.com

default sni profile has just defaultsni.domain.com

sni entries are set on both client and server profiles

now when I add the three client profiles (default sni + the other two for app1.domain.com and app2.domain.com) and the three server profiles I cannot connect to the two websites.

If I tests the two profiles separately they work fine.

Insight is welcome ! thanks.

0
Comments on this Answer
Comment made 26-Jun-2017 by Stanislas Piron 10481

Hi,

look at this awesome code

-1
Comment made 26-Jun-2017 by JoeTheFifth 301

I'm testing this on 11.5.4.2.0.291

0
Comment made 26-Jun-2017 by JoeTheFifth 301

Thanks for the link. Two questions: does this mean that my setup (multiple sni profiles) won't work? i will post the second question on the other thread :-)

0
Comment made 26-Jun-2017 by Stanislas Piron 10481

Hi,

Yes, you don't have to configure multiple serverssl profiles but only one with the irule of the provided link.

0