serverssl, SNI, vHosts
Hi,
I wonder how to solve such issue:
- Target server is using vHost and HTTPS
- Each vHost has separate certificate for FQDN (no Wildcard or SAN)
- Traffic is passed to target servers via one VS with Local Traffic Policy switching Pools based on Host header
- VS is of course doing decrypting - so multiple clientssl profiles with SNI enabled assigned
I wonder how to configure serverssl profiles. Serverssl profiles are assigned at VS not Pool so how it can be done? Multiple serverssl profiles - each with FQDN of target vHost? If so how VS will know which serverssl use to present correct FQDN to target vHost during SSL handshake?
For me it seems not possible - or there is some way?
Example:
VS IP has two entries in DNS:
- 10.10.1 www.host1.com
- 10.10.1 www.host2.com
I have two clientssl profiles assigned to VS with Server Name field values:
- clientssl_host1 - www.host1.com
- clientssl_host2 - www.host2.com
I have two serverssl profiles assigned to VS with Server Name field values:
- serverssl_host1 - host.host1.com
- serverssl_host2 - host.host2.com
VS has no default Pool, just Local Traffic Policy choosing:
- Pool host1_pl if Host header is www.host1.com. First of course it's doing SSL handshake using clientssl_host1 based on SNI value from client. This Pool points to Pool Member 192.168.1.1:443 (this is necessary to assign monitor sending correct value in Host header - in this case Host: host.host1.com)
- Pool host2_pl if Host header is www.host2.com. This Pool is as well pointing to Pool Member 192.168.1.1:443 (this is necessary to assign monitor sending correct value in Host header - in this case Host: host.host2.com)
Let's say target node is 192.168.1.1. On this node we have to vHosts using certificates for FQDN:
- host.host1.com
- host.host2.com
So how VS can know that when pool host1_pl is chosen serverssl_host1 profile should be used to send SNI value host.host1.com to target vHost? Both Pool Members are using same IP:port, so even if reverse DNS query would be performed it will return both host.host1.com and host.host2.com no matter which Pool will be used (same defined IP:port for Pool Members in both Pools).
Probably it could be solved in 11.6+ using FQDN for Nodes? So we can define two separate nodes:
- host.host1.com
- host.host2.com
and then use them when creating Pool Members for each Pool, so:
- Pool host1_pl - host.host1.com:443
- Pool host2_pl - host.host2.com:443
but I am not sure if it will work? Piotr