Does BIG-IP send traffic to pool members by IP and is it possible to recognize hostname?

Question

I have a question regarding BIG-IP's communication with pool member servers. Is it accurate that the BIG-IP has no concept of the 'hostname' of the pool members and forwards traffic to pool members by IP alone? 
I have set up a serverssl profile that is configured to 'Require' Server Certificate and DROP untrusted and expired SSL certs presented by member servers. It all works except for ONE scenario:
When a member server presents an SSL cert with a CN that matches the Authenticate Name on the server SSL profile but is the WRONG SSL cert for it. &nbsp;
e.g: The member hostname is foo.example.com; it is serving an SSL cert for CN bar.example.com. The server-ssl profile is set up with Authenticate Name bar.example.com. I would have expected the BIG-IP to DROP traffic to pool member foo.example.com but it doesn't. The BIG-IP sees 'bar.example.com' for Authenticate Name in the serverssl profile, matches that to the 'bar.example.com' in the CN of the SSL cert presented by server and blesses the communication.&nbsp;
I'm running BIG-IP 11.5.1 HF10; is someone able to confirm that this is indeed how it works and maybe suggest what I could do to make the BIG-IP check pool member hostname.&nbsp;

kai_wilke · Answer

Hi alokjhafb,
HTTP communication and the underlying TLS/SSL communication are completely distinct from each other. 
The clientside connection may request (via Server Name Indication) a certificate for  but then may request a page using the HOST-name of .
The F5 may establish a serverside SSL connection to a pool member and then check if a specific CNAME / DNS Name is present in the received certificate. But right after the the F5 can still forward requests for a completely different HOST-name.
This is an intended default behavior. But feel free to overwrite this behavior by using handcrafted iRules and/or LTM Policies to filter out requests for unknown HOST-names as well as selecting the right Pools and matching Server_SSL_Profiles based on the requested HOST-names. 
Example iRule:
when HTTP_REQUEST {
    set low_host [string tolower [HTTP::host]]
    if { $low_host eq "www.domain.net" } then {
        pool "Pool_www.domain.net"
        set server_ssl "/Common/SRV_SSL_www.domain.net"
    } elseif { $low_host eq "www.domain.com" } then {
        pool Pool_www.domain.com
        set server_ssl "/Common/SRV_SSL_www.domain.com" 
    } else {
         Unknown HOST-name requested
        HTTP::respond 502 content "Bad Gateway: Unknown HOSTNAME requested" "Content-Type" "text/html" "Connection" "close"
        TCP::close
    }
}
when SERVER_CONNECTED {
    SSL::profile $server_ssl
}

Cheers, Kai

Forum Discussion

Does BIG-IP send traffic to pool members by IP and is it possible to recognize hostname?

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

User roles per partition: are multiple possible?

Modify vCMP-Guest with ansible not possible?

Rewrite HTTP Redirect Hostname

Redirect single URL (hostname) only.

hostname redirect for public IPs only