Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Multiple HTTPS sites on a single IP

I'm trying to host multiple HTTPS sites with different HTTP backends on a single IP address, following https://support.f5.com/csp/article/K13452 as much as possible.

Version: BIG-IP 13.1.1 Build 0.0.4 Final

I have imported my wildcard certificate and have configured the following:

Client SSL profiles

domain.com:

  • No "Server Name"
  • "Default SSL Profile for SNI" checked

sub1.domain.com:

  • Parent: "domain.com"
  • Server Name: "sub1.domain.com"
  • "Default SSL Profile for SNI" NOT checked

sub2.domain.com

  • Parent: "domain.com"
  • Server Name: "sub2.domain.com"
  • "Default SSL Profile for SNI" NOT checked

Virtual Servers

sub1

  • Destination 10.0.0.1
  • Service port: 443 HTTPS
  • HTTP profile: http
  • SSL Profile (Client): domain.com + sub1.domain.com
  • Source Address Translation: Auto Map

sub2

  • Destination 10.0.0.2
  • Service port: 443 HTTPS
  • HTTP profile: http
  • SSL Profile (Client): domain.com + sub2.domain.com
  • Source Address Translation: Auto Map

But as mentioned I only have a single IP address, but when I change the destination on VS for sub2 to "10.0.0.1" I'm presented with this error: 01070333:3: Virtual Server /Common/sub2 illegally shares destination address, source address, service port, ip-protocol, and vlan with Virtual Server /Common/sub1

I was under the impression that because I'm using multiple SSL profiles with specific Server Names it should be possible to host this on a single IP.

0
Rate this Question
Comments on this Question
Comment made 3 months ago by Shann_P 358

You can only have one IP:Port combination for a Virtual Server since the traffic wouldn't know which one to go to. You need to put all the SSL profiles on one Virtual Server.

0
Comment made 3 months ago by Mischa 11

And how would I proxy traffic for sub1 and sub2 to different backends?

0
Comment made 3 months ago by Shann_P 358

You would need to write an iRule or create a local traffic policy to send traffic to different pools.

Here is a good example: https://devcentral.f5.com/questions/irule-which-check-uri-or-path-contains-62590

0
Comment made 3 months ago by Mischa 11

You said "traffic wouldn't know which one to go to", but isn't that where SNI comes into play?

There's even an article saying that Prior to the introduction of SNI, the client could not establish secure connections to multiple virtual servers hosted on a single IP address. To me that sounds like with SNI support multiple virtual servers hosted on a single IP address has been made possible...

Source https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication

0
Comment made 3 months ago by Shann_P 358

You have two Virtual Servers based on this error message:

Virtual Server /Common/sub2 illegally shares destination address, source address, service port, ip-protocol, and vlan with Virtual Server /Common/sub1

The error message says that your trying to use the same IP address and port for both Virtual Servers. How would traffic know to go to Virtual Server A over Virtual Server B? SNI (as I understand it) is for matching a domain to a certificate so that multiple domains can be used for one Virtual Server. I don't think it has anything to do with routing in the sense of directing traffic for at least how I've used it.

In the end, a virtual server is a listener and just like you can't have two hosts with the same IP address on a network, due to the obvious IP conflict, you cannot have two Virtual Servers with the same IP address and Port. You can have the same IP address with a different port (i.e. 10.0.10.10:443 and 10.0.10.10:22).

0
Comment made 3 months ago by Mischa 11

I'm coming from NGINX, that's probably where my thinking goes wrong. On NGINX I just add another "server" listening on the same IP:port combination, but with a different "Server Name".

Thanks for the quick replies!

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hey Mischa

I'm sorry but it is a bit confusing.

Do you have a wildcard certificate? Meaning that certificate is issued for *.domain.com? In that case you only need to use a single Client SSL Profile where you have assigned the certificate.

Client SSL Profile

  • Name: wildcard_domain_com
  • Certificate: wildcard_domain_com.crt
  • Key: wildcard_domain_com.key

Then you create one single virtual server, for instance:

Virtual Server

  • VS Name: vs_wildcard_domain_com
  • Destination IP: 10.0.0.1
  • Service port: 443 HTTPS
  • HTTP profile: http
  • SSL Profile (Client): wildcard_domain_com
  • Source Address Translation: Auto Map
  • NO DEFAULT POOL

Pool 1

  • Name: pool_sub1_domain_com
  • Member: 172.16.1.10:80

Pool 2

  • Name: pool_sub2_domain_com
  • Member: 172.16.1.20:80

Now to the "tricky" part. In order to load balance to different pools you need an irule that will check the host header inside the HTTP request and load balance based on that. Luckily, there is an iRule created just for this named ProxyPassiRule. You can download it here:

ProxyPass v10/v11

Download this iRule and assign to the VS.

Then navigate to Local Traffic > iRules > Data Group List and create the following Data Group List:

  • Name: ProxyPassvs_wildcard_domain_com
  • Type: String

Then enter the following values:

Subdomain 1

  • String: sub1.domain.com/
  • Value: sub1.domain.com/ pool_sub1_domain_com

Subdomain 2

  • String: sub2.domain.com/
  • Value: sub2.domain.com/ pool_sub2_domain_com

This should give the results you're after.

And on another note, you do not need SNI for this because you are intercepting the SSL traffic by having a Client SSL Traffic. So the HTTP Host header will be readable by the BIG-IP.

SNI Load-balancing will only be needed when you have a HTTPS VS without a Client SSL Profile. Because in that case the HTTP Host Header will be encrypted. In that case we use the SNI which is part of the Client Hello in the SSL Handshake.

I hope this helps!

0
Comments on this Answer
Comment made 3 months ago by Mischa 11

Hi Philip,

Nothing to be sorry for, unless year the lead developer! ;-)

Thanks for your clear instruction, I've been able to get it working like that.

It's indeed a bit confusing when coming from a product that first looks at the SNI and then routes traffic to a Virtual Server, where the BIG IP first routes traffic to a Virtual Server and then uses SNI.

0
Comment made 3 months ago by Philip Jonsson 1018

My pleasure, I'm glad I could help out. :)

Actually this does not use the SNI at all.

Since you are using a Client SSL Profile, you are intercepting the SSL session and decrypting the data. The iRule works in the following manner:

First you specify the datagroup list it should look in using the following variable:

set clname "ProxyPass[URI::basename [virtual name]]"

Then it runs through the following part of the iRule:

if {! [class exists $clname]} {
        log local0. "$log_prefix: Data group $clname not found, exiting."
        pool $default_pool
        return
    } else {
        set ppass [class match -element "$orig_host$orig_uri" starts_with $clname]
        if {$ppass eq ""} {
            # Did not find with hostname, look for just path
            set ppass [class match -element "$orig_uri" starts_with $clname]
        }
        if {$ppass eq ""} {
            # No entries found
            if { $static::ProxyPassDebug > 0 } {
                log local0. "$log_prefix: No rule found, using default pool $default_pool and exiting"  
            }
            pool $default_pool
            return
        }
    }

The first part only checks if the varible $clname exists. In other words, the Data Group List you created. If does not find it, it will use the Default Pool assigned to the virtual server.

The second part uses a class match which means it will search inside the Data Group List using the variable $clname. It will use the variables $orig_host$orig_uri which are:

set orig_uri "[HTTP::uri]"

set orig_host "[HTTP::host]"

So it will look for the host, in our case: sub1.domain.com

And the URI: /

If it does not match it, it will look just look for the path. If that isn't matched it will send it to the default pool.

Later on in the iRule it eventually load balances to the pool you have defined in the Data Group List.

But that is just to explain what values it bases its load balancing decision on.

It can base its values on the HTTP::host and HTTP::uri because this data is available to the BIG-IP because it is intercepting the SSL session and decrypting the payload.

I hope this helped! :)

0