Avi Load Balancer SSL support includes multi-level domain name support. Multi-level domain support allows a pool to be configured with a list of multiple domain names for server certificate verification. During SSL session setup between a back-end server and the Service Engine (SE), the Avi Load Balancer checks the server’s certificate for the domain names listed in the pool. If any of the domain names are found in the certificate, the SSL session is allowed. However, if the certificate presented by the back-end server does not contain any of the domain names listed in the pool, the SSL session is not allowed.
Within a pool configuration, the SSL settings for securing connections to the back-end servers include an option to enable host header checking. After enabling this option, the domain name list can be specified. The type of matching used to verify the certificate’s server name depends on how these options are configured.
Host Header Check |
Domain Name List |
How Server Name Matching Is Performed |
---|---|---|
N |
Not configurable |
Not checked |
Y |
N |
Domain name in certificate's Common Name or Subject Alternative Name field must match hostname of request URL. If the domain name list is configured, but does not match any name in the certificate, the connection is denied. |
Y |
Y |
Domain name in certificate's Common Name or Subject Alternative Name field must match domain name in pool's domain name list. If the requested hostname does not match a hostname in the certificate, the connection is denied. |
Configuring Multi-level Domain Support
Navigate to
.Click the edit icon next to the pool name, or click Create Pool if creating a new one.
On the Settings tab, select the SSL to Backend Servers check box. Additional SSL configuration fields for the pool are displayed.
Select the Host Header Check check box. The Domain Names field is displayed.
To check strictly based on the request URL hostname, retain the default selection for Host Header Check check box and leave the Domain Names field blank.
To check based on a list of domain names, enter them in the Domain Names field.
To save the pool, click Next till the Review tab appears, click Save.
Note:If creating a new pool, a name is required before the pool can be saved.