Client-IP-based SSL Profiles

Overview

To terminate client SSL connections, both an SSL profile and an SSL certificate must be assigned to the virtual service. Starting with release 18.2.3, Avi Vantage can accommodate a broader set of security needs within a client community by associating multiple SSL profiles with a single virtual service, and have the Service Engines choose which to use based on the client’s IP address.

To learn the basics of setting up an SSL/TLS profile, please read this KB article.

How It Works

Refer to the figure below. At its simplest, an SSL/TLS virtual service must be configured with some base SSL profile. That profile might be identical to the system default profile shipped with every Avi Vantage release image, or some custom-defined one. The key thing is that it must exist. Optionally, to treat some of the client community in customized fashion, an authorized user may define and associate one or more profile selectors with the VS. Their presence triggers an algorithm within Avi Vantage that — based on the client’s IP address — may cause the Service Engine to obey profile parameters other than those defined in the base SSL profile.

profile-selectors-for-virtual-service

Profile Selector Anatomy

Refer to the figure below, which depicts just one profile selector; a given VS may have several.

profile-selector-anatomy

A profile selector is comprised of two entities:

  1. A client IP list containing …
    • An IP group reference, which points to one or more IP groups, and collectively identifies all the clients for which the SSL profile selector applies.
    • A match criterion, which governs whether presence in or absence from the list will cause a client to take on the selector’s SSL profiles parameters.
  2. An SSL profile reference (exactly one per selector), which is a named SSL profile with parameters such as SSL/TLS version, SSL timeout, ciphers, etc.

Algorithm

  • If one or more profile selectors are associated with the VS, Avi Vantage goes through them one by one, attempting to match the client’s IP address. Note that the selector list is ordered, which may yield radically different results, depending upon the sequence.
  • In going through the selectors, if no SSL profile is assigned to the client, then the base SSL profile is applied.

Configuration Using the Avi CLI

The below example adds an SSL profile selector to the pre-existing VS named vs-1. The client IP list is the conjunction of pre-existing IP groups named Internal and Ip-grp-2. These two and the ssl_profile_ref (named sslprofile-2 in this example) should be pre-configured earlier according to the requirements of the traffic flow and SSL algorithms.

Note: Some output lines have been removed for the sake of brevity.

[admin:10-160-3-76]: > configure virtualservice vs-1
Updating an existing object. Currently, the object is:
+------------------------------------+-----------------------------------------------------+
| Field                              | Value                                               |
+------------------------------------+-----------------------------------------------------+
| uuid                               | virtualservice-08ba76c3-faab-430d-86db-a4d9703effa4 |
| name                               | vs-1                                                |
| enabled                            | True                                                |
| services[1]                        |                                                     |
|   port                             | 80                                                  |
|   enable_ssl                       | False                                               |
|   port_range_end                   | 80                                                  |
| services[2]                        |                                                     |
|   port                             | 443                                                 |
|   enable_ssl                       | True                                                |
|   port_range_end                   | 443                                                 |
| application_profile_ref            | System-HTTP                                         |
| network_profile_ref                | System-TCP-Proxy                                    |
| pool_ref                           | vs-1-pool                                           |
| se_group_ref                       | Default-Group                                       |
| network_security_policy_ref        | vs-vs-1-Default-Cloud-ns                            |
| http_policies[1]                   |                                                     |
|   index                            | 11                                                  |
|   http_policy_set_ref              | vs-1-Default-Cloud-HTTP-Policy-Set-0                |
| ssl_key_and_certificate_refs[1]    | System-Default-Cert                                 |
| ssl_profile_ref                    | System-Standard                                     |
                                     .
                                     .
                                     .
| vip[1]                             |                                                     |
|   vip_id                           | 1                                                   |
|   ip_address                       | 10.160.221.250                                      |
|   enabled                          | True                                                |
|   auto_allocate_ip                 | False                                               |
|   auto_allocate_floating_ip        | False                                               |
|   avi_allocated_vip                | False                                               |
|   avi_allocated_fip                | False                                               |
|   auto_allocate_ip_type            | V4_ONLY                                             |
| vsvip_ref                          | vsvip-vs-1-Default-Cloud                            |
| use_vip_as_snat                    | False                                               |
| traffic_enabled                    | True                                                |
| allow_invalid_client_cert          | False                                               |
+------------------------------------+-----------------------------------------------------+

[admin:10-160-3-76]: virtualservice> ssl_profile_selectors
New object being created
[admin:10-160-3-76]: virtualservice:ssl_profile_selectors> client_ip_list
[admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> match_criteria is_in
[admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> group_refs Internal
[admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> group_refs Ip-grp-2
[admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> save
[admin:10-160-3-76]: virtualservice:ssl_profile_selectors> ssl_profile_ref sslprofile-2
[admin:10-160-3-76]: virtualservice:ssl_profile_selectors> save
[admin:10-160-3-76]: virtualservice> save
+------------------------------------+-----------------------------------------------------+
| Field                              | Value                                               |
+------------------------------------+-----------------------------------------------------+
| uuid                               | virtualservice-08ba76c3-faab-430d-86db-a4d9703effa4 |
| name                               | vs-1                                                |
| enabled                            | True                                                |
| services[1]                        |                                                     |
|   port                             | 80                                                  |
|   enable_ssl                       | False                                               |
|   port_range_end                   | 80                                                  |
| services[2]                        |                                                     |
|   port                             | 443                                                 |
|   enable_ssl                       | True                                                |
|   port_range_end                   | 443                                                 |
| application_profile_ref            | System-HTTP                                         |
| network_profile_ref                | System-TCP-Proxy                                    |
| pool_ref                           | vs-1-pool                                           |
| se_group_ref                       | Default-Group                                       |
| network_security_policy_ref        | vs-vs-1-Default-Cloud-ns                            |
| http_policies[1]                   |                                                     |
|   index                            | 11                                                  |
|   http_policy_set_ref              | vs-1-Default-Cloud-HTTP-Policy-Set-0                |
| ssl_key_and_certificate_refs[1]    | System-Default-Cert                                 |
| ssl_profile_ref                    | System-Standard                                     |
                                     .
                                     .
                                     .
| vip[1]                             |                                                     |
|   vip_id                           | 1                                                   |
|   ip_address                       | 10.160.221.250                                      |
|   enabled                          | True                                                |
|   auto_allocate_ip                 | False                                               |
|   auto_allocate_floating_ip        | False                                               |
|   avi_allocated_vip                | False                                               |
|   avi_allocated_fip                | False                                               |
|   auto_allocate_ip_type            | V4_ONLY                                             |
| vsvip_ref                          | vsvip-vs-1-Default-Cloud                            |
| use_vip_as_snat                    | False                                               |
| traffic_enabled                    | True                                                |
| allow_invalid_client_cert          | False                                               |
| ssl_profile_selectors[1]           |                                                     |
|   client_ip_list                   |                                                     |
|     match_criteria                 | IS_IN                                               |
|     group_refs[1]                  | Internal                                            |
|     group_refs[2]                  | Ip-grp-2                                            |
|   ssl_profile_ref                  | sslprofile-2                                        |
+------------------------------------+-----------------------------------------------------+
[admin:10-160-3-76]: >

Notes

  1. A virtual service’s SSL profile selector client IP list does not (yet) support implicit IP configurations. Please use group UUIDs.
  2. An SSL profile selector configuration requires the virtual service to have at least one SSL-enabled service port. Otherwise, it should be a child virtual service.
  3. A child VS will not inherit its parent virtual service’s SSL profile selectors; just the parent’s default SSL profile.