Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM :: Portal Access Lists :: SNI & HTTP

I'm trying to create a Portal Access List with a few web resources, and one of the links does not work because it is an Apache server that is validating that the SNI and HTTP hostname match. The problem is, that when the user logs into APM and launches the web link, they are launching a request to the APM and not the backend server... therefore the SNI is for APM and does not match the HTTP hostname in the header (which is specified in the Portal Access link via Application URI).

[ssl:error] [pid 11111] AH02032: Hostname xxx.yyy.com provided via SNI and hostname aaa.bbb.com provided via HTTP are different

From what I've read, this cannot be disabled on the Apache server without removing SNI and recompiling... which is not an option for me. However this F5 use-case seems like it would be fairly common, so I'm not sure what I'm missing here.

Anybody have any thoughts?

Thanks-

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Use this Irule

when ACCESS_ACL_ALLOWED {
    #Set the SNI value (e.g. HTTP::host)
    set sni_value [getfield [HTTP::host] ":" 1]
}
when SERVERSSL_CLIENTHELLO_SEND {

    # SNI extension record as defined in RFC 3546/3.1
    #
    # - TLS Extension Type                =  int16( 0 = SNI ) 
    # - TLS Extension Length              =  int16( $sni_length + 5 byte )
    #    - SNI Record Length              =  int16( $sni_length + 3 byte)
    #       - SNI Record Type             =   int8( 0 = HOST )
    #          - SNI Record Value Length  =  int16( $sni_length )
    #          - SNI Record Value         =    str( $sni_value )
    #

    # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 

    SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]

}    

This is the Kai wilke code with host name from rewritten hostname instead of portal hostname

0
Comments on this Answer
Comment made 06-Jun-2017 by Ryan 509

I haven't tested this, but seems logical to me! Before seeing this, I installed stunnel on the server in question and called it a day ;o) But good to know about the above, thanks.

0