Rewrite Host and Select Different SSL Profile

Question

Hello, 
&nbsp;  
&nbsp; We have a current URL and cert combo that doesn't work because the web servers behind it got moved, but I need to figure out how to write an iRule on the LTM to get it working again, albeit it with some rewrites on the F5 that are transparent to the customer. 
&nbsp;  
&nbsp; We had a site, service.service.com and an associated cert.  It went away, but some customers still hit the URL. 
&nbsp;  
&nbsp;  
&nbsp; I want to... 
&nbsp;  
&nbsp; 1) Rewrite the host name that gets sent to the internal web server.  I think I found something for that already.  The following rule should rewrite the host name that gets sent internally while keeping the customer in the dark about the name change. 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;    if { [HTTP::header "Host"] eq "service.service.com" } { 
&nbsp;      HTTP::header replace "Host" "service2.service.com" 
&nbsp;    }  
&nbsp; } 
&nbsp;  
&nbsp; 2) Prevent a cert error. 
&nbsp;  
&nbsp; The only way I can think of to do this is to take the previous rule and also have it use a different SSL Client profile than the default on the virtual server. 
&nbsp;  
&nbsp; I haven't found this second part.  If it exists, I would like to have it in one big iRule. 
&nbsp;  
&nbsp; If anybody knows how to do this, it would help us greatly. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Paul 
&nbsp;  
&nbsp; PS. This URL is an example and not the real URL.

hooleylist · Answer

Hi Paul, 
&nbsp;  
&nbsp; Do both hostnames resolve to the same IP address?  If so, in order to prevent a mismatched cert warning, you'd need to get a cert which is valid for both hostnames or configure a separate virtual server address and change the DNS record for one hostname.  A single cert is generally only an option if both hostnames are on the same domain.   
&nbsp;  
&nbsp; See this post for more info: 
&nbsp;  
&nbsp; ssl redirect not working 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;view=topic&amp;postid=1167658&amp;ptarget=1144662 
&nbsp;  
&nbsp; If this isn't the case, can you elaborate on the scenario? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

pgermain_71805 · Answer

Thanks Aaron, 
&nbsp;  
&nbsp; They do both resolve to the same IP address.  I thought there might be some trick to have it choose a different ssl profile based on the host variable.  If there isn't, then it is what it is. 
&nbsp;  
&nbsp; Paul 
&nbsp;  
&nbsp;  
&nbsp;  &nbsp;

hooleylist · Answer

At some point we'll be able to select the correct cert using a TLS extension.  But until most browsers support it (or if you have a controlled client base), it's not practical to bother with.  See this post for details: 
&nbsp;  
&nbsp; SSL client profile based on hostname 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;forumid=5&amp;tpage=1&amp;view=topic&amp;postid=3071 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Rewrite Host and Select Different SSL Profile

3 Replies

Recent Discussions

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Rewrite profile statistics in ltm

Rewrite profile limit on URI rules

Rewriting iRules...LIVE!

SSL Profiles

Copper SFP Differences