HTTPS/HTTP rewrite URL (Wildcard SSL cert)

Question

Hi guys,&nbsp;
I am pretty new to the forum and iRules...&nbsp;
Here's the issue I am having right now.&nbsp;
We are using a Wildcard SSL cert for one of our HTTPS URL (Lets call it https://*.abc.mydomain.com)&nbsp;
My CTO has requested us to implement a redirect rule for this URL. So when our customers try to access&nbsp;
"https://abc.mydomain.com", they will be redirecting to "https://www.abc.mydomain.com".&nbsp;
I used CNAME on the DNS server so whenever people are accessing "https://abc.mydomain.com" will be redirecting to the same web page as "https://www.abc.mydomain.com".&nbsp;
However, the redirecting does not udpate the URL on the browser to the "Redirected" URL...&nbsp;
Therefore, when you go to the URL, you will always get a SSL cert error message. (Since the original URL https://abc.mydomain.com does not match our wildcard ssl cert) &nbsp;
Is there anything I can configure on the BIG-IP to achieve this? &nbsp;
Any help will be great...&nbsp;
Jon&nbsp;

hooleylist · Answer

Hi Jon, 
&nbsp;  
&nbsp; To avoid the cert mismatch error you'd need to have a certificate that's valid for abc.mydomain.comn and www.abc.mydomain.com.  Your iRule would then work without the browser receiving a warning. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Another option would be to point one of the domains to a separate IP address with a validcert for that FQDN. 
&nbsp;  
&nbsp; Aaron

jma_46115 · Answer

Hi Aaron, 
&nbsp;  
&nbsp; I will give it a shot for the first solution. Making another cert and virtual server for abc.mydomain.com. 
&nbsp; Thank you for helping me out. 
&nbsp;  
&nbsp; Jon

kamalpreet_1068 · Answer

Hi Jon, 
&nbsp;  
&nbsp; Lets do like this 
&nbsp;  
&nbsp; 1. Do the DNS entry for abc.mydomain.com &amp; www.abc.mydomain.com to point to say "1.1.1.1" 
&nbsp; 2. Create 2 VIP on LB of IP - 1.1.1.1 listening on port 80 &amp; https 
&nbsp; 3. On VIP  apply rule 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;         if { [HTTP::uri] == "/"  } { 
&nbsp;             HTTP::redirect "https://www.abc.mydomain.com"  
&nbsp;         } 
&nbsp;            } 
&nbsp;  
&nbsp; All the traffic will be redirected to www.abc.mydomain.com and you can use that wildcard cert 
&nbsp;  
&nbsp;  
&nbsp; Kamal &nbsp;

hooleylist · Answer

The problem with using a single IP address for multiple fully qualified domain names is that LTM needs to complete an SSL handshake with a single SSL cert before being able to decrypt the SSL and inspect or modify the HTTP to determine which FQDN the client requested.  If LTM presents a cert which doesn't have the client's requested FQDN, the client will generate a mismatched cert error. 
&nbsp;  
&nbsp; If the clients are in a controlled set (ie, all owned by one organization) you could potentially use TLS SNI to determine which cert to present: 
&nbsp; http://en.wikipedia.org/wiki/Server_Name_Indication 
&nbsp;  
&nbsp; The reason TLS SNI hasn't taken hold fully yet is that many older browsers and operating systems don't support it yet: 
&nbsp; http://en.wikipedia.org/wiki/Server_Name_IndicationNo_support 
&nbsp;  
&nbsp; If you can get a single certificate which is valid for all of the FQDNs clients would use to access the virtual server, you can avoid this issue.  Typically, this is done with wildcard or Subject Alternate Nate (SAN) certs. 
&nbsp;  
&nbsp; If a SAN or wildcard cert can't be used and the clients are not corporate owned, you'll generally need one virtual server IP address per SSL certificate. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

HTTPS/HTTP rewrite URL (Wildcard SSL cert)

5 Replies

Recent Discussions

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Related Content

HTTP Multipart and Security Implications

Rewrite http:// to https:// in response content

The HTTP/2 CONTINUATION frame attack

HTTPS offload rewriting

HTTPS to HTTP