Certificate Selection with Class-List (Alternative to SNI)
Server Name Indication is a feature in 2.7 that allows you to simplify your config by defining only one HTTPS VIP, but serving multiple certificates for different domains from this same VIP address. SNI is not supported on older browsers however. An alternative to using SNI is to use multi-domain certificates, which have increasing costs the more domains you add.
Unless you decide to use SNI or multi-domain certs, you must define a separate VIP for each client-SSL template your use. In order to simplify the config, you can define a single Wildcard VIP, and use an aFlex policy to map IP addresses to client-SSL templates. A wildcard VIP answers for traffic based on the ACL that is associated with it.
The below config outlines how to set up a class-list mapping IP's to client-SSL profiles, and how to associate to a wildcard VIP:
Notes:
- You must route or otherwise force traffic within ACL mask to interface IP in promiscuous mode
- VIP port is defined as 443 HTTP. SSL will be enabled by the aFlex policy
- The class list associates an IP address the user is trying to connect to with a client-SSL template
Base config:
access-list 101 permit ip any 10.10.20.240 0.0.0.15
access-list 101 permit tcp any 10.10.20.240 0.0.0.15
interface ve 2/20
ip address 10.10.20.101 255.255.255.0
ip allow-promiscuous-vip
slb virtual-server wildcard-vip 0.0.0.0 acl 101
port 443 http
source-nat pool snat1
service-group http-sg
aflex wildcard-ssl
Class-list:
Content:
str 10.10.20.241 client-ssl1
str 10.10.20.242 client-ssl2
str 10.10.20.243 client-ssl3
.....
aFlex:
#################################################
#
# SSL Template selection w/ class-list
# (c) A10 Networks -- MP
# v1 20131008
#
#################################################
#
# aFleX script to select an SSL Template based
# on the Local IP.
#
# The class-list for the redirects is called
# "cl-ssl-templates" (default) of type "string" and has
# to contain the following data:
# str
#
# For example:
# str 172.16.100.57 client-ssl1
# str 172.16.100.58 client-ssl2
#
# Scalability of this aFlex is unknown.
#
# Questions & comments welcome.
# mpeters@a10networks.com
#
#################################################
when RULE_INIT {
set ::DEBUG 0
set ::CLASSLIST "cl-ssl-templates"
set ::DEFAULTSSL "client-ssl1"
set ::POOL "http-sg"
}
when CLIENT_ACCEPTED {
set LocalIP [IP::local_addr]
set SSLTemplate [CLASS::match $LocalIP equals $::CLASSLIST value]
if { $SSLTemplate != ""} {
SSL::template clientside $SSLTemplate
pool $::POOL
if { $::DEBUG == 1 } { log "SSL Template: $LocalIP -> $SSLTemplate" }
} else {
SSL::template clientside $::DEFAULTSSL
pool $::POOL
}
}
Unless you decide to use SNI or multi-domain certs, you must define a separate VIP for each client-SSL template your use. In order to simplify the config, you can define a single Wildcard VIP, and use an aFlex policy to map IP addresses to client-SSL templates. A wildcard VIP answers for traffic based on the ACL that is associated with it.
The below config outlines how to set up a class-list mapping IP's to client-SSL profiles, and how to associate to a wildcard VIP:
Notes:
- You must route or otherwise force traffic within ACL mask to interface IP in promiscuous mode
- VIP port is defined as 443 HTTP. SSL will be enabled by the aFlex policy
- The class list associates an IP address the user is trying to connect to with a client-SSL template
Base config:
access-list 101 permit ip any 10.10.20.240 0.0.0.15
access-list 101 permit tcp any 10.10.20.240 0.0.0.15
interface ve 2/20
ip address 10.10.20.101 255.255.255.0
ip allow-promiscuous-vip
slb virtual-server wildcard-vip 0.0.0.0 acl 101
port 443 http
source-nat pool snat1
service-group http-sg
aflex wildcard-ssl
Class-list:
Content:
str 10.10.20.241 client-ssl1
str 10.10.20.242 client-ssl2
str 10.10.20.243 client-ssl3
.....
aFlex:
#################################################
#
# SSL Template selection w/ class-list
# (c) A10 Networks -- MP
# v1 20131008
#
#################################################
#
# aFleX script to select an SSL Template based
# on the Local IP.
#
# The class-list for the redirects is called
# "cl-ssl-templates" (default) of type "string" and has
# to contain the following data:
# str
#
# For example:
# str 172.16.100.57 client-ssl1
# str 172.16.100.58 client-ssl2
#
# Scalability of this aFlex is unknown.
#
# Questions & comments welcome.
# mpeters@a10networks.com
#
#################################################
when RULE_INIT {
set ::DEBUG 0
set ::CLASSLIST "cl-ssl-templates"
set ::DEFAULTSSL "client-ssl1"
set ::POOL "http-sg"
}
when CLIENT_ACCEPTED {
set LocalIP [IP::local_addr]
set SSLTemplate [CLASS::match $LocalIP equals $::CLASSLIST value]
if { $SSLTemplate != ""} {
SSL::template clientside $SSLTemplate
pool $::POOL
if { $::DEBUG == 1 } { log "SSL Template: $LocalIP -> $SSLTemplate" }
} else {
SSL::template clientside $::DEFAULTSSL
pool $::POOL
}
}
0