10-27-2008 10:17 AM
I'm trying to have 3 different domain names all point to the same vip on my DX 3250. I'm able to use a "gateway" cluster on that vip to route_request to the appropriate cluster (1 for each domain name) based on Host header. This works fine for http, but not https. I'm guessing that route_request doesn't work for ssl?
I can't use a forwarder instead of a cluster for the "gateway" because forwarders don't use apprules.
Is there something I'm missing or another way of doing what I'm trying to accomplish?
Thanks in advance for any assistance or ideas!
11-03-2008 05:20 AM
I assume you are doing the SSL termination on the DX, so the traffic in unencrypted by the DX and it can inspect the HTTP headers. The problem you will have is that you can only have one hostname resolve to the gateway cluster VIP. This is because the cluster will have an SSL certificate which is for a specific hostname and it is presented during the initial SSL handshake, so the client will refuse to connect unless the certificate matches the hostname they are trying to access. As it is presented before any HTTP requests are sent, there is no way to know which URL the client is attempting to access - the client is connecting using the IP address obtained from a DNS query.
You can use a wildcard certificate if the URLs you wish to use are all within the same domain e.g. www.juniper.net; download.juniper.net and ftp.juniper.net could all use a juniper.net wildcard certificate.