ViRules_96678
Oct 23, 2007Nimbostratus
Serving alternative SSL certs from one virtual server
Morning,
We've run into a problem redirecting https traffic to a virtual server to http servers on the backend. We use an iRule to inspect the HTTP header, and redirect a.com to port 80 on the backend, b.com to port 81 on the backend, and c.com to port 8080 on the backend. This works fine if the virtual server is http, if no certs are involved, eg;
when HTTP_REQUEST {
if { [HTTP::host] starts_with "www.a.com" } {
pool Apache_Pool_80
}
elseif { [HTTP::host] starts_with "www.b.com" } {
pool Apache_Pool_81
}
else {
pool Apache_Pool_8080
}
}
The problem is trying to redirect a separate https virtual server to the same http pools. We configured the https virtual server, and assigned a client cert to it. This causes the F5 to server that cert BEFORE the redirect. Because the name on the cert is "a.com", it doesn't match if the client has browsed to b.com or c.com, and users get told of the client cert error.
Is there any way to perform the redirect BEFORE the SSL negotiation, with an iRule?
We're trying to get to a point where users who browse to https://www.a.com stay as https between client and F5, but users going to https://www.b.com or https://www.c.com get redirected to http://www.b.com and http://www.c.com without being show certificate errors.
Traffic between the F5 and the backend servers is always in the clear, always http. There are no certs on the backend servers.
Any thoughts much appreciated!