Does anyone know if it's possible to use the same VIP with different certificates on a CSS 11503? For example with the below config, contained in the same ssl-proxy-list, have one VIP assigned to multiple certificates.
ssl-server 100 rsacert site1cert
ssl-server 100 rsakey site1key
ssl-server 100 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
ssl-server 100 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
ssl-server 100 vip address 10.20.30.40
ssl-server 200 rsacert site2cert
ssl-server 200 rsakey site2key
ssl-server 200 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
ssl-server 200 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
ssl-server 200 vip address 10.20.30.40
I found several discussions on this topic and the conclusion was that it's not possible but these examples were all using multiple ssl-proxy-lists.I'm thinking that if it's in the same proxy-list that it might?
We have a small development/testing setup which I'd like to use one public IP as a front to all the backend servers but two of the backend servers use different SSL cert's. I am planning to use L5 rules to send traffic to the relevant servers/services depending on URL but want to perform SSL offload on the CSS hence why i want multiple certs working off one shared VIP.
Hopefully that makes sense. Thanks for reading and any advice.
How do you know which certificate to use ???
The reason it's not possible is because the SSL protocol does not allow us to do it.
To see the HTTP request and the url you need to decrypt the traffic.
And to decrypt the traffic you need to know which certificate to use.
Therefore, you have to use the ip address or the tcp port to distinguish the connections and select the appropriate certificate.
sadly you can't use L5/url rules to dictate which certificate is used so I had to just use a differnt port other than 443 for each additional ssl policy i wanted on the same vip.In my case i just used 444 and told the web dev team to link there since it was just a QA environment.
So just use the 'port 444' option within both the content and ssl-proxy-list config stanzas to link the VIP to the correct ssl cert.
hope that helps