Thanks for your reply! Creating iRules are a new thing for me and this one looks fairly complicated, but would I be right in thinking that I only need to edit the below part of the rule that is in the link you provided, to match the specific FQDNs and pools I'm using?
if { [info exists tls_servername] } {
log local0. "tls_servername = ${tls_servername}"
switch [string tolower $tls_servername] {
"test.abc.com" {pool Test_Pool-8892-pool}
"test2.def.com" {pool Test_Pool_2-8892-pool}
default {pool $default_pool}
If so, the fully configured iRule would look like this?
Code when CLIENT_ACCEPTED {
TCP::collect
set default_pool [LB::server pool]
} when CLIENT_DATA { set payload [TCP::payload] set payloadlen [TCP::payload length]
If valid TLS 1.X CLIENT_HELLO handshake packet
if { [binary scan $payload cccScx37c tls_record_content_type tls_major_version tls_minor_version tls_recordlen tls_action tls_sessidlen] == 6 && \
($tls_record_content_type == 22) && \
($tls_major_version == 3) && ($tls_minor_version > 0) && \
($tls_action == 1) && \
($payloadlen == $tls_recordlen+5)} {
skip past the session id
set record_offset [expr {44 + $tls_sessidlen}]
skip past the cipher list
binary scan $payload @${record_offset}S tls_ciphlen
set record_offset [expr {$record_offset + 2 + $tls_ciphlen}]
skip past the compression list
binary scan $payload @${record_offset}c tls_complen
set record_offset [expr {$record_offset + 1 + $tls_complen}]
check for the existence of ssl extensions
if { ($payloadlen > $record_offset) } {
skip to the start of the first extension
binary scan $payload @${record_offset}S tls_extenlen
set record_offset [expr {$record_offset + 2}]
Check if extension length + offset equals payload length
if {$record_offset + $tls_extenlen == $payloadlen} {
for each extension
while { $record_offset < $payloadlen } {
binary scan $payload @${record_offset}SSx3S etype elen erlen
if { ($etype == 0) } {
if it's a servername extension read the servername
SNI record value start after extension type (2 bytes), extension record length (2 bytes), record type (2 bytes), record type (1 byte), record value length (2 bytes) = 9 bytes
binary scan $payload @[expr {$record_offset + 9}]A${erlen} tls_servername
set record_offset [expr {$record_offset + $elen + 4}]
break
} else {
skip over other extensions
set record_offset [expr {$record_offset + $elen + 4}]
}
}
}
} else {
log local0. "packet is not a valid TLS 1.X CLIENT_HELLO handshake"
reject
return
}
unset -nocomplain payload payloadlen tls_record_content_type tls_major_version tls_minor_version tls_recordlen tls_action tls_sessidlen record_offset tls_ciphlen tls_complen tls_extenlen etype elen erlen
if { [info exists tls_servername] } {
log local0. "tls_servername = ${tls_servername}"
switch [string tolower $tls_servername] {
"test.abc.com" {pool Test_Pool-8892-pool}
"test2.def.com" {pool Test_Pool_2-8892-pool}
default {pool $default_pool}
}
} else {
log local0. "packet is a valid TLS 1.X CLIENT_HELLO handshake but doesn't contain server name extension"
pool $default_pool
}
TCP::release
}
Lastly, is there anything else that needs to be added to the virutal server? Or is what I have enough?
Thanks again!