This topic provides step-by-step instructions to configure Enhanced Virtual Hosting in a virtual service and also explains in detail the configuration of a parent and a child virtual service.
Configuring Enhanced Virtual Hosting
To enable enhanced virtual hosting,
1. Navigate to CREATE VIRTUAL SERVICE or open an existing virtual service in edit mode.
. Click2. Click Virtual Hosting VS and select Parent or Child to specify that this is a the parent or child of an SNI-enabled virtual hosted virtual service.
3. Under Virtual Hosting Type, select Enhanced Virtual Hosting.
Ensure that both parent and its child virtual service have the same Virtual Hosting type.
SSL Profile and Certificate Configuration
Unlike the normal virtual service or an SNI virtual service, where only 2 certificates each of type RSA and EC are allowed, EVH parent allows configuration of multiple domain name certificates. The TLS server name will be looked up against the configured certificates and the matching certificate will be served on the TLS connection. If no TLS server name is present or TLS server name does not match any common name/ SAN/ DNS information in any of the certificates configured, the first certificate in the list of certificates (default certificate) configured will be served for that connection.
Each of the child virtual service can have their individual app profiles, WAF profiles, and more.
Click ADD under Hosts to add a new rule.
Enter a name and click ADD under Match. Configure the match as shown below.
Click SAVE. The Virtual Hosting Match Criteria is added to the Virtual Service.
Parent Virtual Service
The parent virtual service in EVH is configured without any vh_matches
configuration. The virtual service receives all traffic and performs TLS termination, if necessary, before receiving requests.
The parent virtual service allows multiple certificates to be configured in this virtual hosting and for SSL connections, the parent virtual service picks the matching server certificate based on the TLS server name requested by the client and cipher used. If the server name is requested or no match is found, the first certificate configured on the virtual service is used. For TLS mutual authentication, the PKI profile must be configured only on the parent virtual service. After TLS handshake is complete, the parent receives all the requests and matches them with host names and paths configured on its children and selects the matching child virtual service and hands off the request to that virtual service. If none of the child virtual service’s config match the request, then the request is processed by parent virtual service configuration. Essentially the connection stays with the parent but request keep switching to its children for processing.
Child Virtual Service
The child virtual service in EVH is configured with host and path match configuration. The parent virtual service will do the TCP and SSL termination and request processing is sent to this virtual service if the request host and URL matches the vh_matches
configuration in the child virtual service. Multiple hosts, each with multiple path matches can be configured under a child virtual service. Multiple child virtual service with non-conflicting vh_matches
configuration can be associated with a parent virtual service. The child virtual service cannot do TLS termination and does not accept SSL configuration such as SSL profile, SSL key and certificate, PKI profile, and more.
All request or response specific configuration settings from application profile, policies, datascript, caching and compression, WAF profile configured on the child virtual service apply on the request being processed by this child virtual service.
EVH Child Selection
Parent EVH virtual service will terminate the TCP/SSL connection and does HTTP request line processing. Based on the URI, host header, match criteria, the lookup key is used to find the matching child.
Path Lookup Criteria
The following are the path lookup criteria supported:
Equals
Begins with
Regex pattern matches
The above search order will be executed to find the matching child virtual service.
Notes
When configuring EVH for a virtual service, note the following:
A virtual hosting virtual service must be either SNI or EVH.
If the parent virtual service have EVH defined, then:
The child virtual service cannot have certs attached or SSL Profile attached to them.
Multiple
vh_matches
configuration with same host value are not allowed under a child virtual service. A child virtual service can have multiple paths configured under a single host.Two or more child virtual service cannot share same combinations.
A parent virtual service cannot be a child of another parent virtual service.
HTTP/2 is supported on EVH virtual service.
OCSP stapling will not work for certificate other than the first/ default certificate.