Forum Discussion

Michael_Waldron's avatar
Michael_Waldron
Icon for Nimbostratus rankNimbostratus
Oct 21, 2015

Help with SNI not being passed to pool servers

I think my problem is a missing check box somewhere, but I can't figure out where it is.

 

I'm running a BigIP, v11.6, in a test environment before we migrate to it in production.

 

Our requirements are for a fully SSL encrypted connection end to end, and as such I have the BigIP configured to terminate SSL on device, and then re-establish a SSL tunnel to the pool members. I'm using SNAT auto map, I've configured a cookie persistence profile as well as a HTTP profile to insert X-Forwarded-For.

 

All the above is working fine, until I add SNI into the mix.

 

Our production environment uses over 20 web sites sharing a single IP using SNI and a combination of wildcard and non-wildcard certificates, all accessible via SNI and host headers. When I migrate my test server to require SNI, the the connection is established to the BigIP, SNI is resolved and the correct certificate is presented to the client, however the pool servers are not being contacted correctly by the BigIP and they are not responding.

 

I've searched through the forums and I don't really see anything applicable, but I admit I'm new with BigIP and I feel like I'm incorrectly using a term or missing a checkbox somewhere.

 

Can someone point me in the right direction, or link me to where I should have found the answer before I posted?

 

Thanks in advance!

 

application delivery
deployment
design
devops
iRules
LTM
security

38 Replies

Sort By
    • Michael_Waldron's avatar
      Michael_Waldron
      Icon for Nimbostratus rankNimbostratus
      Oct 21, 2015
      I read through that link and I'm not sure it's what we're looking for. It appears that SSL Forward Proxy recreates certificates, and we already have created and assigned certificates for our servers. I ran through the instructions and tried it anyway just to be sure, but it also did not allow the server to answer a request.
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 21, 2015

    My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.

     

    • Michael_Waldron's avatar
      Michael_Waldron
      Icon for Nimbostratus rankNimbostratus
      Oct 21, 2015
      This appears to be the right path. I found under Advanced configuration in the SSL Server profile where I could specify a server name, and after doing that the first of my test sites is working. I still have to verify it for multiple sites and multiple domain names, but things are looking up. I'll report back with my final results.
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Oct 21, 2015
      If it doesn't work with multiple sites you may have to use an iRule for the server SSL profile selection. This could do that assuming you name you server SSL profiles (hostname)_serverSSL and apply a default server SSL profile to the VIP with no SNI configured in it. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } }
    • Michael_Waldron's avatar
      Michael_Waldron
      Icon for Nimbostratus rankNimbostratus
      Oct 21, 2015
      Ok, this got me a bit closer, but now I'm running into the following: When I attempted to add a 2nd server SSL profile to my virutal server, I was told I needed a default SNI profile. So I created a default profile (a copy of serverssl with the only modification being the default option checked) and after applying that to the virtual server I could not access either test site. I removed the default profile, and selected Test1 as default. I was then able to access the test1 site via the virtual server, but not test2. If I change the profiles to make Test2 the default, I can access it but not Test1. The non-default server returns a 400 - Bad Request Invalid Hostname.
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Oct 21, 2015

    My guess is that you will have to have a server SSL profile with the Server Name field populated for every client SSL profile you have attached. I'm trying to confirm that now, but that is my suspicion.

     

    • Michael_Waldron's avatar
      Michael_Waldron
      Icon for Nimbostratus rankNimbostratus
      Oct 21, 2015
      This appears to be the right path. I found under Advanced configuration in the SSL Server profile where I could specify a server name, and after doing that the first of my test sites is working. I still have to verify it for multiple sites and multiple domain names, but things are looking up. I'll report back with my final results.
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Oct 21, 2015
      If it doesn't work with multiple sites you may have to use an iRule for the server SSL profile selection. This could do that assuming you name you server SSL profiles (hostname)_serverSSL and apply a default server SSL profile to the VIP with no SNI configured in it. when SERVER_CONNECTED { catch { SSL::profile "[string tolower [getfield [HTTP::host] ":" 1]]_serverSSL" } }
    • Michael_Waldron's avatar
      Michael_Waldron
      Icon for Nimbostratus rankNimbostratus
      Oct 21, 2015
      Ok, this got me a bit closer, but now I'm running into the following: When I attempted to add a 2nd server SSL profile to my virutal server, I was told I needed a default SNI profile. So I created a default profile (a copy of serverssl with the only modification being the default option checked) and after applying that to the virtual server I could not access either test site. I removed the default profile, and selected Test1 as default. I was then able to access the test1 site via the virtual server, but not test2. If I change the profiles to make Test2 the default, I can access it but not Test1. The non-default server returns a 400 - Bad Request Invalid Hostname.
  • JoeTheFifth_453's avatar
    JoeTheFifth_453
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2017

    Hi. I'm reviving this thread hoping to find a definitive answer to the same problem. Is this configuration supported without an iRule? Here is the setup:

     

    • 1 VS => Https pool => 2 servers port 443
    • I created a base default sni profile defaultsniclient and a base default sni server profile defaultsniserver
    • I created two clients profiles based on the client sni profile with the right certs.
    • I created two server profiles based on the server sni profile with the right certs.

    profile 1 has sni entry app1.domain.com profile 1 has sni entry app2.domain.com

     

    default sni profile has just defaultsni.domain.com

     

    sni entries are set on both client and server profiles

     

    now when I add the three client profiles (default sni + the other two for app1.domain.com and app2.domain.com) and the three server profiles I cannot connect to the two websites.

     

    If I tests the two profiles separately they work fine.

     

    Insight is welcome ! thanks.

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Jun 26, 2017

    Hi. I'm reviving this thread hoping to find a definitive answer to the same problem. Is this configuration supported without an iRule? Here is the setup:

     

    • 1 VS => Https pool => 2 servers port 443
    • I created a base default sni profile defaultsniclient and a base default sni server profile defaultsniserver
    • I created two clients profiles based on the client sni profile with the right certs.
    • I created two server profiles based on the server sni profile with the right certs.

    profile 1 has sni entry app1.domain.com profile 1 has sni entry app2.domain.com

     

    default sni profile has just defaultsni.domain.com

     

    sni entries are set on both client and server profiles

     

    now when I add the three client profiles (default sni + the other two for app1.domain.com and app2.domain.com) and the three server profiles I cannot connect to the two websites.

     

    If I tests the two profiles separately they work fine.

     

    Insight is welcome ! thanks.