Forum Discussion

donmon_10187's avatar
donmon_10187
Icon for Nimbostratus rankNimbostratus
Oct 14, 2013

Using iRules to conserve public IP addresses

Hello all,

I've been tasked with coming up with a solution using one public IP address and laod balancing it to multiple pools using iRules and host-headers. Currently, we're doing a one to one NAT. I created a virtual server and used the iRule below, which is using Data Groups. I was able to successfully accomplish this for http but I cannot get https to work. If anyone can provide some input, I'd much appreciate it.

    when HTTP_REQUEST {
if { [class match [string tolower [HTTP::host]] equals TestRedirect] } {
  set usepool [class match -value [string tolower [HTTP::host]] equals TestRedirect]
  pool $usepool
}
}

Here is the Data Group for the http pools.

ltm data-group internal /Common/TestRedirect { 
    records { 
        TESTA.net { 
            data TESTA_80_pool 
        } 
        TESTB.org { 
            data TESTB_80_pool 
        } 
        TESTC.com { 
            data TESTC_80_pool 
        } 
    } 
    type string 
}
  • I was assuming that they wanted it to be seamless rather than present a cert error but you are correct, if you didn't mind the cert error appearing any cert applied to a client SSL profile would work for this.

     

  • The only way this would work is if you had a SSL certificate containing SAN's for each domain you want to use for your iRule, without a proper SSL cert to decrypt the traffic what you want to do is impossible.

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Would it be impossible? You'd need a client SSL profile so the f5 can decrypt the traffic so the irule can inspect the http traffic. Then if there is a cert mismatch wouldn't you just get the certificate warning in the browser and need to click on Continue? Not pretty of course so yes, you'd want a wildcard cert of some description.

     

  • I was assuming that they wanted it to be seamless rather than present a cert error but you are correct, if you didn't mind the cert error appearing any cert applied to a client SSL profile would work for this.

     

  • Thanks for the information guys. I'll explore the options. Seamless is what we'd want but I'll need to build the solution first and go from there.