Search This Blog

Saturday, March 30, 2013

How to host 2 ssl sites on a single public IP on F5 load balancer

As the pool of free IPv4 is getting lower it is important to efficiently mange our existing assigned public IPs. One thing that can be used is to use SSL offloading and hosting multiple HTTPS sites on single public IP using wild cart certificates.

The core of this solution is the configuration of the lb and the vhost setting on your server. The server reads the HTTP Host header and base on it decide what site the user try to access.


How to configure servers and load balancer to host 2 ssl sites on a single public IP.

Analisis and example configuration
  • Example F5 configuration
For SSL to work we need a wild card certificate.
We have to import the certificate and key to F5 and create client site ssl profile.

Example wild cart certificate:
# openssl x509 -in /var/tmp/ -noout -text
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale,, Inc., OU=, CN=Go Daddy Secure Certification Authority/serialNumber=111111
            Not Before: Nov 21 11:57:16 2012 GMT
            Not After : Nov 20 09:31:37 2013 GMT
        Subject: O=*, OU=Domain Control Validated, CN=*

SSL profile:
# tmsh list ltm profile client-ssl  wildcard-client-ssl-profile
ltm profile client-ssl wildcard-client-ssl-profile {
    chain CA.crt
    defaults-from clientssl

Virtual server to terminate and load balance the traffic:
# tmsh list ltm virtual VS-
ltm virtual VS- {
    ip-protocol tcp
    pool POOL-
    profiles {
        http { }
        tcp { }
        wildcard-client-ssl-profile {
            context clientside

Servers where the traffic is going to be load balanced:
# tmsh list ltm pool POOL-
ltm pool POOL- {
    load-balancing-mode least-connections-member
    members { {
            session monitor-enabled
        } {
            session monitor-enabled
    monitor http
  • Apache configuration on one of the servers

    This is a simple example configuration for the http server.
    # cat vhost1.conf
    <VirtualHost *:80>
            DocumentRoot /var/www/vhost1
    # cat vhost2.conf
    <VirtualHost *:80>
            DocumentRoot /var/www/vhost2
    # cat /var/www/vhost1/index.html
    <html><body><h1>It works!</h1>
    This is VHOST 1
    # a2ensite vhost1.conf 
    # a2ensite vhost2.conf 
    # service apache2 reload

    A quick local test on the server will confirm if the config is correct.
    # curl -v -H "Host:"
    * About to connect() to port 80 (#0)
    *   Trying connected
    > GET / HTTP/1.1
    > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/ libidn/1.23 librtmp/2.3
    > Accept: */*
    > Host:
    < HTTP/1.1 200 OK
    < Date: Sat, 30 Mar 2013 23:42:20 GMT
    < Server: Apache/2.2.22 (Ubuntu)
    < Last-Modified: Sat, 30 Mar 2013 23:19:21 GMT
    < ETag: "b46bb-47-4d92c9e17f040"
    < Accept-Ranges: bytes
    < Content-Length: 71
    < Vary: Accept-Encoding
    < Content-Type: text/html
    <html><body><h1>It works!</h1>
    This is VHOST 1
    * Connection #0 to host left intact
    * Closing connection #0

No comments:

Post a Comment