Enhanced Virtual Hosting

Overview

This guide explains the usage of enhanced virtual hosting (EVH). This will help in enabling the virtual hosting on virtual service irrespective of SNI.

Virtual service can be of two main types, namely,

  • Non-virtual hosting enabled virtual service
  • Virtual hosting enabled virtual service

Non-Virtual Hosting enabled Virtual Service

If you uncheck Virtual Hosting VS checkbox, in Virtual Service window, then that particular virtual service would be non-virtual hosting enabled virtual service.

Virtual Hosting enabled Virtual Service

SNI Virtual Hosting

Virtual service have a configuration option to enable virtual hosting support. Enabling this option within a virtual service indicates the virtual service is a parent or child of another service, in a server name indication (SNI) deployment.

Server Name Indication, or SNI, is a method of virtual hosting multiple domain names for an SSL enabled virtual IP.

For more details on virtual hosting enabled virtual service, refer to Server Name Indication, Wildcard SNI Matching for Virtual Hosting user guides.

Enhanced Virtual Hosting

Virtual service have a configuration option to enable virtual hosting support. Enabling this option within a virtual service indicates the virtual service is a parent or child of another service. If the type of a virtual service is either parent or child, it is considered a virtual hosting enabled virtual service.

The virtual service placement for EVH service follow the same conditions as SNI parent child.

A parent can either be a host SNI or EVH children but not both at the same time.

The child of the same virtual hosting type can be associated with parent virtual service, i.e. if the parent virtual service is of SNI type then the associated children should also be of SNI type. Similarly if parent virtual service is of enhanced virtual service type, then the children associated with this parent virtual service should be of same type, i.e. EVH. The EVH child can not be associated with SNI parents and vice versa.

SNI verses EVH

In SNI, multiple domains can be configured under a child virtual service and are owned by that virtual service. The same domain cannot be configured on other SNI children. However, in EVH same domain can be configured under multiple children but with different path match criteria.

Also, the SNI can only handle HTTPS traffic where as EVH children can handle both HTTP and HTTPS traffic.

  • Parent virtual service have the service ports configured on them and need to have SSL enabled on them.

  • In the child virtual service, FQDN field is used to specify the domains for which the virtual service should be selected. HOST+PATH+match_criteria defines which child virtual service under a parent virtual service will process a given request.

In SNI entire connection, including all its requests, the parent virtual service will be handled by one of this child virtual service, selected during TLS handshake. In EVH, connection is always handled by the parent virtual service and individual requests in that connection will be handled by the selected child virtual service based on matching host header, URI path and path match criteria configured under child virtual service.

Avi Vantage supports the EVH switching of different requests (within one connection) between the child virtual service of a single parent virtual service. Unlike SNI which switches only TLS connections based on one-to-one mapping of children to FQDN, EVH maps one FQDN to many children based on resource path requested.

SSL Profile and Certificate Configuration

You can select Enhanced Virtual Hosting option from the Virtual Hosting Type drop-down list in Settings tab of New Virtual Service window.

Unlike the normal virtual service or an SNI virtual service, where only 2 certificates each of type RSA and EC are allowed, EVH parent allows configuration of multiple domain name certificates. The TLS server name will be looked up against the configured certificates and the matching certificate will be served on the TLS connection. If no TLS server name is present or TLS server name does not match any common name/ SAN/ DNS information in any of the certificates configured, the first certificate in the list of certificates (default certificate) configured will be served for that connection.


Each of the child virtual service can have their individual app profiles, WAF profiles, etc.

Configuring EVH

While creating the virtual service, you can select either parent or child virtual hosting virtual service option. You should also select Enhanced Virtual Hosting option from the Virtual Hosting Type drop-down list.

Ensure that both parent and its child virtual service have the same Virtual Hosting type.

Parent Virtual Service

The parent virtual service in EVH is configured without any vh_matches configuration. The virtual service receives all traffic and performs TLS termination, if necessary, before receiving requests.

The parent virtual service allows multiple certificates to be configured in this virtual hosting and for SSL connections, the parent virtual service picks the matching server certificate based on the TLS server name requested by the client and cipher used. If the server name is requested or no match is found, the first certificate configured on the virtual service is used. For TLS mutual authentication, the PKI profile must be configured only on the parent virtual service.

After TLS handshake is complete, the parent receives all the requests and matches them with host names and paths configured on its children and selects the matching child virtual service and hands off the request to that virtual service. If none of the child virtual service’s config match the request, then the request is processed by parent virtual service configuration. Essentially the connection stays with the parent but request keep switching to its children for processing.


Child Virtual Service:

The child virtual service in EVH is configured with host and path match configuration. The parent virtual service will do the TCP and SSL termination and request processing is sent to this virtual service if the request host and URL matches the vh_matches configuration in the child virtual service. Multiple hosts, each with multiple path matches can be configured under a child virtual service. Multiple child virtual service with non-conflicting vh_matches configuration can be associated with a parent virtual service. The child virtual service cannot do TLS termination and does not accept SSL configuration such as SSL profile, SSL key and certificate, PKI profile etc.

All request/response specific configuration settings from application profile, policies, datascript, caching and compression, WAF profile configured on the child virtual service apply on the request being processed by this child virtual service.

EVH Child Selection

Parent EVH virtual service will terminate the TCP/SSL connection and does HTTP request line processing. Based on the URI, host header, match criteria, lookup key is used to find the matching child.

Path Lookup Criteria

The following are the path lookup criteria supported:

  • Equals

  • Begins with

  • Regex pattern matches

The above search order will be executed to find the matching child virtual service.

Application Metrics

With the EVH, the connection will technically be received by the parent virtual service and each individual request will be processed by the matching child virtual service. Each request will map the metrics data of the matching child virtual service and request level metrics will be collected on that child. Connection level metrics, including TCP and SSL, will be collected on the parent virtual service.

Note: Virtual Service Security > {SSL Certificate, SSL TLS Version, SSL Score} analytics will not be applicable and will not be shown on child virtual service.

Points to be Noted

The following are the points to be noted:

  • A virtual hosting virtual service should be either SNI or EVH.

  • If the parent virtual service have EVH defined, then:

    • The child virtual service cannot have certs attached or SSL Profile attached to them.

    • Multiple vh_matches configuration with same host value are not allowed under a child virtual service. A child virtual service can have multiple paths configured under a single host.

    • Two or more child virtual service cannot share same combinations.

  • A parent virtual service cannot be a child of another parent virtual service.

  • HTTP/2 is not supported.

  • OCSP stapling will not work for certificate other than the first/ default certificate.

Document Revision History

Date Change Summary
December 23, 2020 Created Enhanced Virtual Hosting user guide