Allow or Redirect HTTPS traffic based on destination domain

To do any Layer 7 behavior changes, you'll need SSL termination on the LTM with a clientssl profile. Let's focus on that as a first step. I'm a little curious though as to what host name is hitting this virtual server as it looks like multiple are coming through. SAN Certs can be used for multiple domains, but there are some restrictions there, too. Is this traffic outbound from your network to the domains you've provided in the example iRule?

Yes, this is outbound traffic from our hosts to external domains which we need to restrict access to. From your suggestion, I am wondering if something like this would work: https://devcentral.f5.com/articles/multiple-certs-one-vip-tls-server-name-indication-via-irules I currently have wildcard clientssl and serverssl certs applied, and if I hit a site not in the list, I get the redirect. However if I go to a site in the list, I get the cert warning but the connection does not complete.

Have you done a tcpdump on both sides of the BIG-IP to see what the behavior looks like? The cert warning makes it seem like it is promising, but we may need to get down to the nitty gritty.

Hi Matt,

If you want to decrypt SSL traffic destined for arbitrary FQDNs, and you have a root certificate that all client browsers trust, you can use the SSL forward proxy feature in LTM. It was added in 11.3.0:

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html

Aaron