Forum Discussion

Festus_50639's avatar
Festus_50639
Icon for Nimbostratus rankNimbostratus
Mar 02, 2009

GTM or LTM to redirect? That is the question.

Hello all,

 

 

I'm in a bit of a sticky wicket trying to get to the end point in solving what seems to be a fairly simple issue.

 

 

In our environment, we have both GTMs and LTMs for our public DNS and web presence.

 

 

What the folks that manage the web sites would like is for httpS requests to "site.com" to be redirected to "www.site.com" and have it so that requests to "site.com" do not get any certificate errors since currently (that I know of anyway) only one certificate can be used per VIP.

 

 

Currently on our GTMs, both "site.com" and "www.site.com" resolve to the same IP address.

 

 

A redirect from "site.com" to "www.site.com" is not possible to do (via httpS) without first getting a certificate mismatch error.

 

 

My searches for previous posts didn't seem to result an any returns close to what I'm looking for. Can someone either assist in what I'm trying to accomplish or at least provide a good post to help answer my question?

 

 

Thanks in advance..

 

Kevin
application delivery
dev
devops
iRules

2 Replies

Sort By
  • James_Quinby_46's avatar
    James_Quinby_46
    Historic F5 Account
    Mar 02, 2009
    Have you considered using a wildcard SSL cert? That ought to cover *.site.com and lick the redirect mismatch error.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 02, 2009
    Wildcard certs may not actually cover site.com and www.site.com. You may need to specifically request this. Subject Alternate Names should allow you to use both instances though:

     

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=33441&ptarget=33462

     

     

    For the HTTPS VIP, you're limited to supporting one certificate for one VIP. So if clients did make an HTTPS request using a hostname that didn't match the cert, they would get a cert mismatch error before you would be able to redirect them to a new location. You may be able to get a cert valid for all subdomains on your domain (a wildcard cert valid for *.example.com) or you could get a cert valid for multiple hostnames on different domains using subject alternate names (SANs). Try searching the forums here for SAN SSL or subject alternate name for some more information and links.

     

     

    It would be more ideal to avoid clients making requests via HTTPS to different hostnames that resolve to the same IP address.

     

     

     

     

    Aaron