Okay... so you don't need an iRule for this. You can configure a client SSL profile using each of the SSL certifiates/keys, for each virtual server. This will allow you to decrypt the client to virtual server SSL.
You can then configure a single server SSL profile and associated that profile with each of the virtual servers. This will allow BIG-IP to re-encrypt traffic from itself as the client to the servers in the pool.
To insert the X-Forwarded-For header, just enable the option on a new HTTP profile and associate that with the virtual server.
As this doesn't pertain to rules, please read up on these configuration steps in the 9.x Configuration Guide for your version on AskF5.com. If you have any questions, you can contact F5 support.
Thanks,
Aaron