Re: Handle https requests from multiple domains in load balancer

owen · 09-14-2011

Support for the TLS server name extension was added in version 5.1.

Each IP and port combination can only have one Virtual Server assigned to it, but a virtual server can support multiple different SSL enabled sites.

Go to the Virtual Server -> Edit page and you will see a configuration option to add additional 'certificate mappings' where you can specify an alternative certificate to supply in the SSL ServerHello, based on the IP address that the client connected to or the name in the TLS server name field.

twops · yesterday

Hi there,

I've seen several references to using TLS Server Name Response (SNI) with stingray traffic manager.

Some reference this great article about using this function of TLS to identify which browsers support SNI:
http://blogs.riverbed.com/stingray/2009/10/using-trafficscript-to-analyze-client-tls-server-name-sup...

others, like this one, include the fact that ssl.getTLSServerName() doesn't support SSL-passthrough virtual servers.

In the case where the traffic manager is doing the SSL decryption, can multiple HTTPS virtual servers be created on a single IP address and port combination? We're using ZTM 7.4 instances launched via Rightscale, and we see an error message indicating that only one virtual server may exist for any single IP/Port combination.

This would indicate that a single HTTPS virtual server should be configured with TrafficScript to provide a specific certificate to match the supplied domain (and send traffic to a specific pool).

The TrafficScript referenced in the original post from this thread included an example that works in HTTP virtual servers.

Can this be extended to include a solution for HTTPS virtual servers as well?

Is there a TrafficScript example that can be used as a reference for a method to accomplish this?

Alternately, if this feature is only supported in a later version of the traffic manager, we'd like to know this as well.

Any help would be greatly appreciated.

Thanks.

owen · 09-14-2011

Response from Michael Granzow, Member of Technical Staff, Stingray Business Unit

> Do we need to get more ip addresses for the load balancer server?

Since you're saying that you cannot SSL-decrypt the traffic, yes you do.

Server Name Indication (SNI, see http://blogs.riverbed.com/stingray/2009/10/using-trafficscript-to-analyze-client-tls-server-name-sup... for details) could help you out, but

1. not all browsers support it

2. the TrafficScript function ssl.getTLSServerName() doesn't work for SSL-passthrough virtual servers (although technically it could (and hence should)).

mgyles · 10-20-2011

Question asked by community member: cupto on Sat, 15/10/2011 - 01:08

We need to configurate multiple virtual servers in order to receive calls for multiple domains.

However, we can only use one IP:port combination for each virtualserver.

We use traffic script on the load balancer in order to achieve this.

Here is an example:

$hostHeader = http.getHostHeader();
if( $hostHeader == "mysite.com" || $hostHeader == "www.mysite.com"){
pool.use( "mysite" );
}
else if( $hostHeader == "othersite.com" ){
pool.use( "othersite.com" );

That's ok for http requests, but not for https requests.
(we understand that the https requests header are encrypted).

We still need to balancer https calls from multiple domains, but we don't know what is the best way to do it.

¿Do we need to get more ip's adresses for the load balancer server?

We also thought that maybe what we need is to decrypt the https request get the host header encrypt again and sent to the backend server, but we only have the simple version of the load balancer (without ssl options)

Answers

Re: Handle https requests from multiple domains in load balancer

Re: Handle https requests from multiple domains in load balancer

Re: Handle https requests from multiple domains in load balancer

Handle https requests from multiple domains in load balancer