Forum Discussion

N_67263's avatar
N_67263
Icon for Nimbostratus rankNimbostratus
Feb 03, 2014

Help getting an iRule created.

Folks,

 

My use case here is to have requests going to a site "abc.test.com" to "xyz.test.com". We can achieve this by creating a CNAME for "abc.test.com" as "xyz.bmc.com". The users have "abc.test.com" in their bookmarks and we want the new URL as "xyz.test.com".

 

The "xyz.test.com" is a VIP created on the F5 and has the required certificates to respond only to "xyz.test.com".

 

I am looking at an iRule where, if the F5 looks at the header as "abc.test.com", the F5 should convert that as "xyz.test.com". Also, it should allow the request to pass through.

 

Any suggestions?

 

Regards, Nik

 

3 Replies

  • You can change the host header going in and out of the LTM, however you'll still get cert errors unless the cert has both host names in it (The SSL host name check happens before the LTM iRules get involved), it should work fine for HTTP only then. You could also have a redirect which would send people to the correct URL.

    when HTTP_RESPONSE { HTTP::header replace Location [string map -nocase {xyz.test.com abc.test.com} [HTTP::header value Location]] }

    when HTTP_REQUEST {

    HTTP::header replace Host [string map -nocase {abc.test.com xyz.test.com} [HTTP::header value Host]]
    

    }

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    You're only option to not get cert errors, as mentioned by lapayne, is to use either a wildcard or SAN cert of the virtual server. Alternatively you could use Server Name Indication (if tmos v11.1 and above) on the virtual if you have a cert for abc.test.com too. Once the handshake is taking place it can see the host name and apply the correct client ssl profile (with correct SSL cert).

     

    N

     

  • If this is an internal site (or you have some control over who access it, you can check here to see if their browsers support SNI which as mentioned by nathan could also help you.

     

    http://en.wikipedia.org/wiki/Server_Name_IndicationBrowsers_with_support_for_TLS_server_name_indication.5B6.5D