serverssl, SNI, vHosts
Hi, I wonder how to solve such issue: Target server is using vHost and HTTPS Each vHost has separate certificate for FQDN (no Wildcard or SAN) Traffic is passed to target servers via one VS with Local Traffic Policy switching Pools based on Host header VS is of course doing decrypting - so multiple clientssl profiles with SNI enabled assigned I wonder how to configure serverssl profiles. Serverssl profiles are assigned at VS not Pool so how it can be done? Multiple serverssl profiles - each with FQDN of target vHost? If so how VS will know which serverssl use to present correct FQDN to target vHost during SSL handshake? For me it seems not possible - or there is some way? Example: VS IP has two entries in DNS: 10.10.1 www.host1.com 10.10.1 www.host2.com I have two clientssl profiles assigned to VS with Server Name field values: clientssl_host1 - www.host1.com clientssl_host2 - www.host2.com I have two serverssl profiles assigned to VS with Server Name field values: serverssl_host1 - host.host1.com serverssl_host2 - host.host2.com VS has no default Pool, just Local Traffic Policy choosing: Pool host1_pl if Host header is www.host1.com. First of course it's doing SSL handshake using clientssl_host1 based on SNI value from client. This Pool points to Pool Member 192.168.1.1:443 (this is necessary to assign monitor sending correct value in Host header - in this case Host: host.host1.com) Pool host2_pl if Host header is www.host2.com. This Pool is as well pointing to Pool Member 192.168.1.1:443 (this is necessary to assign monitor sending correct value in Host header - in this case Host: host.host2.com) Let's say target node is 192.168.1.1. On this node we have to vHosts using certificates for FQDN: host.host1.com host.host2.com So how VS can know that when pool host1_pl is chosen serverssl_host1 profile should be used to send SNI value host.host1.com to target vHost? Both Pool Members are using same IP:port, so even if reverse DNS query would be performed it will return both host.host1.com and host.host2.com no matter which Pool will be used (same defined IP:port for Pool Members in both Pools). Probably it could be solved in 11.6+ using FQDN for Nodes? So we can define two separate nodes: host.host1.com host.host2.com and then use them when creating Pool Members for each Pool, so: Pool host1_pl - host.host1.com:443 Pool host2_pl - host.host2.com:443 but I am not sure if it will work? Piotr330Views0likes8CommentsMonitor one VS pointing to multiple vHosts
Hi, I wonder if my idea is correct or there is better way to configure LTM. Scenario: Multiple services using one IP:port and different FQDN (vHosts) HTTPS used Setup: One VS with SSL offload Local Traffic policy selecting pool based on Host header As many separate Pools as vHosts - each with identically configured Pool Members (IP:port) but unique monitor assigned As many monitors as vHosts, each using correct Host header in GET request Result Each vHost (separate Pool Member in separate Pool) has assigned monitor with correct Host header Traffic is directed to correct Pool based on Host header content using Local Traffic Policy (or iRule) Only service that is not working is marked down by monitor - not affecting other services under identical IP:port pair. Is above correct or maybe there is some better way? Piotr172Views0likes1Comment