Forum Discussion

IWhitmore's avatar
IWhitmore
Icon for Nimbostratus rankNimbostratus
Jun 10, 2014

Redirect SSL to SSL with header rewrite and certificates

Hi all. I have a question on using 301 or 302 redirects and SSL. I'm not sure if this can be solved by iRules.

 

The problem is the following:

 

X.bb.com is 1.1.1.1. If a user tries to connect to X.bb.com, it queries the GTM which returns 1.1.1.1. The users browser then connects to the VIP 1.1.1.1 on the LTM (which has the certificate X.bb.com). Everything is good.

 

If a user attempts to connect to Y.bb.com, the GTM returns 1.1.1.2. The users browser then connects to the VIP on the LTM at 1.1.1.2 which redirects to 1.1.1.1. However for this redirect to work there has to be a certificate for Y.bb.com else the user will get a certificate error. If there is a certificate for Y.bb.com, everything is good.

 

Easy answer is to get SAN certificate or a wild card or both! But if I only have a certificate for X.bb.com, is there a way to request Y.bb.com, get redirected to X.bb.com and re-write the header that won't give a certificate error? Maybe the simple answer is "no", but I would just like to confirm that.

 

I guess another solution would be that when the user attempts to connect to Y.bb.com, the GTM returns 1.1.1.1 and the iRule rewrites the header to X.bb.com - would that give a certificate error as the users browser still has Y.bb.com as the URL? I'm guessing it would.

 

Afraid I don't have an LTM to test at the mo'. Any help much appreciated!

 

7 Replies

  • Sorry to just point you somewhere else, but this post/question has some good comments/answers on how you'll have to complete this. The short of it is you want an iRule to do a full redirect from y.bb.com to x.bb.com. An iRule redirect should not result in a cert error. However a DNS CNAME/Alias may result in a cert error.

     

    • IWhitmore's avatar
      IWhitmore
      Icon for Nimbostratus rankNimbostratus
      Thanks for your reply Steve. You are right, it shouldn't result in a cert error if I redirect from HTTP to HTTPS or from HTTPS to HTTPS if I have a SAN cert for both sub-domains, or a wildcard or two separate SSL certs (one for x and one for y). The problem I have though is slightly different. If I only have a cert for x, how can I redirect an https request from y to x without it throwing a cert error? The solution in the post you pointed to was to use the same DNS for both domains and have a SAN cert (which is not available to me) and then rewrite the header. It never says whether or not he actually got it working in the end. But having a SAN cert makes the problem a lot easier. Interesting one for a lab maybe.
  • Hi!

     

    Short answer, no. :)

     

    Slightly longer answer:

     

    You can't use two different certificates on the same VIP and base certificate choice on host header as the host header is encrypted when the request comes in. A bit like the chicken and the egg. It's also because of this you can't rewrite the hostheader for incoming requests with an iRule.

     

    /Patrik

     

  • You can actually specify multiple client SSL profiles (hence multiple certificates) on one virtual server based on TLS SNI. This may be of use to you.

     

    http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

     

    • Thanks Cory! That was new to me and looks really promising. If his clients supports TLS that's an eligible option. Hope F5 gets native support for it later. /Patrik
    • Arie's avatar
      Arie
      Icon for Altostratus rankAltostratus
      The demise of Windows XP finally made this option truly available, as it was just about the only OS (i.e. all versions of IE on XP) that isn't compatible with SNI. Of course this limitation still applies if a significant portion of a site's visitors are using XP. Many governments are paying Microsoft for extended support since they're still using XP.
    • I made a study of our user base and close to 10% of them uses SSLv3. Agent strings suggests the culprits to be Xp, MacOs and Linux. I never imagined it to be that high.