VirtualServer with TLSProfile¶
VirtualServer with TLSProfile is used to specify the TLS termination. TLS termination relies on SNI. Any non-SNI traffic received on port 443 may result in connection issues. The example below shows how to attach a TLSProfile to a VirtualServer.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
apiVersion: cis.f5.com/v1 kind: VirtualServer metadata: name: coffee-virtual-server labels: f5cr: "true" namespace: default spec: host: coffee.example.com tlsProfileName: reencrypt-tls # --> This will attach reencrypt-tls TLSProfile virtualServerAddress: "172.16.3.4" httptraffic: redirect pools: - path: /coffee service: svc servicePort: 80
- CIS has a 1:1 mapping for a domain (CommonName) and BIG-IP-VirtualServer.
- You can create any number of custom resources for a single domain. For example, you can create 2 VirtualServers with different terminations (for the same domain): one with edge and another with re-encrypt. To do this you need to create two VirtualServers: one with edge TLSProfile and another with re-encrypt TLSProfile. Both the VirutalServers should be created with same virtualServerAddress.
- Single or Group of VirtualServers (with the same virtualServerAddress) will be created as one common BIG-IP-VirtualServer.
- If you want to update secure virtual (TLS Virtual) server to insecure virtual (non-TLS server) server. You need to delete the secure virtual server first and create a new virtual server.
- Configure behavior of HTTP virtual server with
httpTraffic. The allowed values are:
allow: Allows HTTP,
none: Only HTTPS,
redirect: redirects HTTP to HTTPS.