Same VIP Multiple SSL Certs

Hi,

 

 

The problem you face is that SSL communication is established before any HTTP transactions has been done. Therefore you won't be able to use an iRule to automatically select the good Certificate to use. Even within the BIGIP configuration you won't be able to handle this.

 

 

You will need to define 4 differents VS to do this or create a wildcard certificate (if your applications are appli1.mysite.com, appli2.mysite.com, ... you need a certificate for *.mysite.com)

 

 

Do you have any way to identify which application is requested except through the URI? (like source ip address, etc...)

 

 

 

F5 could add Server Name Indication (TLS extension) to LTM.

 

One problem, that old browsers do not speak TLS 1.1

So if I use a wildcard certificate I can counter this issue but I have application like like this:

 

app.mysite-ip.com.aa

 

app.mysite-ip.com.bb

 

app.mysite-ip.com.cc

 

app.mysite-ip.xx

 

 

All these are mapped to 1 public IP address and I have one more application which is app.mysite-ip.co.kr.

 

 

Now, firstly can I use a wildcard certificate like app.mysite-ip.com.* and if so then I am still stuck with app.mysite-ip.xx, how will I resolve this ?

 

 

" Do you have any way to identify which application is requested except through the URI? (like source ip address, etc...) "

 

 

No I don't, as of now the applications are on http and I have a iRule which redirects app.mysite-ip.com.aa to app.mysite-ip.com.aa/homepage and so on for the rest of them.

 

 

I think this post has the evolution of this question (Click here).

 

 

The practical answer for current versions is you can only support one certificate per virtual server. A wildcard cert for *.example.com would allow you to host a.example.com and b.example.com on the same VIP using one cert. Using Subject Alternate Names (SANs) should allow you to host abc.com and xyz.com (or app.mysite-ip.com.aa and app.mysite-ip.com.bb) on the same VIP with one cert. At some point F5 and browsers will probably support the server_name extension for TLS to allow support for multiple certs on a single IP address and port. To request F5 support this extension, you can open a case with F5 and ask them to attach it to CR94903.

 

 

Aaron

OK, Here is what I thought as a workaround for this issue.

 

I have 4 application with same public IP assigned to them and I am using one VS for these apps to communicate, So Im having trouble using Certs..

 

 

I have 2 options that I can choose from, but I will need your help in opting the correct.

 

Option 1: I will create a new domain, New VS, New Public IP assigned to to and also create a Cert for it. let's say I will create a domain like:

 

 

Step 1) myarea.mysite-ip.com

 

Step 2) create SSL Cert for myarea.mysite-ip.com

 

Step 3) assign New Public and VIP and assign the same pool my other 4 apps are using.

 

Now for the kill:

 

Step 4) I will write a iRule which will redirect http://app.mysite-ip.com.aa to https://myarea.mysite-ip.com/homepage, and so on for the other 3 apps.

 

 

Option 2:

 

Everything remains the same and in option 1, but here I will use the same Public IP to register the my new domain ie., myarea.mysite-ip.com, and create a new HTTPS VS with the Pool members, and when a request comes to http://app.mysite-ip.com.aa I will have a iRule to redirect it to https://myarea.mysite-ip.com/homepage.

 

 

Which option is better, option 1 or option 2

OK, Here is what I thought as a workaround for this issue.

 

I have 4 application with same public IP assigned to them and I am using one VS for these apps to communicate, So Im having trouble using Certs..

 

 

I have 2 options that I can choose from, but I will need your help in opting the correct.

 

Option 1: I will create a new domain, New VS, New Public IP assigned to to and also create a Cert for it. let's say I will create a domain like:

 

 

Step 1) myarea.mysite-ip.com

 

Step 2) create SSL Cert for myarea.mysite-ip.com

 

Step 3) assign New Public and VIP and assign the same pool my other 4 apps are using.

 

Now for the kill:

 

Step 4) I will write a iRule which will redirect http://app.mysite-ip.com.aa to https://myarea.mysite-ip.com/homepage, and so on for the other 3 apps.

 

 

Option 2:

 

Everything remains the same and in option 1, but here I will use the same Public IP to register the my new domain ie., myarea.mysite-ip.com, and create a new HTTPS VS with the Pool members, and when a request comes to http://app.mysite-ip.com.aa I will have a iRule to redirect it to https://myarea.mysite-ip.com/homepage.

 

 

Which option is better, option 1 or option 2

Yes I am worried about the infinite loop, either of the options might work for now, but I am worried about the feature, as of now all the 4 applications have a different home page each, and using iRules I can redirect to their respective Homepages, like when a client request for http://app.mysite-ip.com.xx redirect to https://myarea.mysite-ip.com/respectiveHomePage.

 

 

I have 2 questions to ask:

 

 

1) Will I end up with a lot of iRules to saperate each application from other?

 

2) Can I have an iRule which will hard code the Host name even though the application is secured after the redirection to https://myarea.mysite-ip.com/respectiveHomePage. For Eg: Client requests access to http://app.mysite-ip.com.aa and gets redirects to https://myarea.mysite-ip.com/HomePage but the client sees it as https://app.mysite-ip.com.aa and not https://myarea.mysite-ip.com/HomePage ??