iRule to route https traffic to different pool based on hostname

Hi Dominique,

 

 

Do you have a single SSL certificate which is valid for both one.domain.com and two.domain.com? If not, it's not really possible to load balance two different hosts by hostname over SSL. Check this post for details/some options:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=33536&ptarget=33552 (Click here)

 

 

Aaron

Hi Aaron,

 

 

We do have valid certificates for both domains.

 

 

Regards

 

Dominique

The crucial thing is to have a single cert which is valid for both domains. For all practical scenarios you can only support one cert per virtual server. So you either need a single cert valid for both domains or you need to change the DNS so that the two domains resolve to separate IP addresses. You can check the other post I referenced for additional details.

 

 

Aaron

Thank you for the reply. I was hoping to avoid the full blown explanation but think it might paint a clearer picture.

 

 

About a year ago we re-branded our company and were using ws.mortgagesa.com as the publicly accessible URL for partner interactions. As the change control process with these partners is always a really really long drawn out affair that takes weeks to conclude, I was hoping to have a way that would allow us to use the same public IP address for both ws.mortgagesa.com and ws.ooba.co.za. I do have two valid publicly signed certificates but am struggling to find a way to make the change in a way that doesn't negatively affect all partners interacting with us at the same time.

 

 

I know that the LTM can do SSL termination but for this scenario I was planning on doing the termination on the application server hosting the application. Meaning that I would have two virtual hosts each doing the SSLtermination; one for ws.mortgagesa.com and the other for ws.ooba.co.za and then have one publicly accessible IP address that resolved for both. Then on the LTM with an iRule send traffic to vhost one or vhost two depending on which domain was request.

 

 

Hope this points a clearer picture?

 

 

Regards

 

Dominique

From the LTM perspective, if you want to be able to specify that requests with a host header for site1.com go to one pool of web servers and requests for site2.com go to a second pool of web servers, you need to either:

 

 

1. Be able to decrypt the SSL to view which host the request is for. This would require using a single SSL certificate in a client SSL profile. LTM would then present the cert to clients and decrypt the SSL to check the HTTP host header. You cannot dynamically select the "correct" cert of two choices, because you have to decrypt the SSL to know which cert is valid for the client's requested host. So if you could get a single cert valid for site1.com and site2.com, this option would work. You can potentially get a single cert for two separate domains using Subject Alternate Names (SANs). Most modern browsers and many certificate authorities support SANs.

 

 

2. Or you need to be able to use DNS to point the domains to separate IP addresses. You can then use a single certificate per IP address. With this option you could either decrypt the SSL on LTM or pass it through encrypted. The former option would give you more flexibility in inspecting/modifying the HTTP.

 

 

Aaron

Thanks Aaron, appreciate your feedback.

If you do end up going with option one, you can use HTTP classes in 9.4+ or an iRule to select the pool based on the requested host header. For details on using HTTP classes, you can check the LTM configuration guide for your version. Here is an example iRule:

 
 when HTTP_REQUEST { 
  
     Check requested host header (set to lowercase) 
    switch [string tolower [HTTP::host]] { 
  
       "www.site1.com" { 
          pool site1_pool 
       } 
       "www.site2.com" { 
          pool site2_pool 
       } 
       default { 
          pool default_pool 
       } 
    } 
 } 
 

Aaron

Related to this, we have about 80+ sits all using the same Virtual Server that we're doing with host headers. Currently we're using http profiles to route them to the correct Pool, but I wonder if we wouldn't be better off with this iRule instead. Does anyone know if there is a performance improvement either way with so many sites?

Hi jrichter,

 

 

Check your new post in the iRules forum for a response.

 

 

Aaron