G'day all,
I'm trying to configure an F5 virtual Big-IP for L4 pass through SNI load balancing, but am having troubles (probably because I'm new to F5's).
We have backend websites that require SNI (due to co-hosting multiple applications on a small set of servers).
I'd like to load balance (provide HA more correctly) to those servers from the F5 at the L4/TCP level, i.e. no SSL termination, no requirement to upload individual site certificates onto the F5 (Certs are issued by an internal CA, the root/intermediate certs are already available and trusted).
I was able to get this working fairly easily in HAProxy using a config that looks like:
frontend https
mode tcp
tcp-request inspect-delay 5s
use_backend api-uat if { req_ssl_sni -i api-uat.mydomain }
use_backend api-prod if { req_ssl_sni -i api.mydomain }
# repeat for other backends #
backend api-prod
option httpchk GET / HTTP/1.1\r\nHost:\ api.mydomain
balance leastconn
mode tcp
server Server1 10.1.1.1:443 check check-ssl check-sni api.mydomain ca-file MyPKIRoot.pem
server Server2 10.1.1.2:443 check check-ssl check-sni api.mydomain ca-file MyPKIRoot.pem
# repeat for other backends #
However the documentation on the F5 site is targeted at hosting using SNI (ie SSL termination on the F5, client profile ssl certs required).
Can any F5 gurus confirm if this is even possible? As a side note the SNI health check for the back end servers is woefully underpar too, but I'll get to that once I can get the virtual server working correctly :(
