Options

Supporting multiple services selective client-ssl and server-ssl w/ single VIP

cgutierrezcgutierrez Member
in aFleX
We have a need to support numerous services behind a single VIP. URL switching makes this fairly easy, however some sites use client-ssl, and other sites use client & server-ssl. What would an effective AFLEX look like to support this SSL-template selection based on specific header content?
Tagged:

Comments

  • Options
    ctjepkes@a10networks.comctjepkes@a10networks.com Member
    edited February 2014
    Maybe check out this other topic that discusses this....

    https://www.a10networks.com/vadc/index.php/forums/topic/certificate-selection-with-class-list-alternative-to-sni/

    /cole
  • Options
    cgutierrezcgutierrez Member
    edited February 2014
    Sort of the same...but uses class-list match on IP values. I am not certain how to write it to match on header values with an if/if/else, and also having it use two ssl templates (client and server), or select between using one vs both. That or since the URL switching is enabled, having the aflex pick up on the service-group selected based on the URL-swithcing, then determine which SSL template to use, or both.
  • Options
    ctjepkes@a10networks.comctjepkes@a10networks.com Member
    edited February 2014
    The reason it is done based on source IP is that the SSL session is setup as part of the TCP session. The certificate is sent to the client before the HTTP request is seen, so the URL and host header are not yet known at that time. The only alternative is to use SNI. You can read up on that in the 2.7.0 release notes. If you need help I suggest you open a support ticket and copy your local systems engineer. If you need help with contact information let me know. cole@a10networks.com. /cole
Sign In or Register to comment.