CLIENTSSL_HANDSHAKE without Client SSL profile???

Question

Hi there, &nbsp;
&nbsp;I'm trying to set-up a generic ProxyPass rule to support both HTTP and HTTPS connections... &nbsp;
&nbsp;Currently, I've added the following line to the 'CLIENT_ACCEPTED' section:&nbsp;set proto "http"&nbsp;
&nbsp;I've then added the following code block:&nbsp;when CLIENTSSL_HANDSHAKE {
    There was a client side SSL handshake, so update the variable 
   set proto "https"
} &nbsp;
&nbsp;I then use this to do a redirect further down:&nbsp; Perform the default redirect. 
  HTTP::redirect "$proto://[HTTP::host]$rurl" &nbsp;
&nbsp;However when trying to apply this rule to a Virtual without a Client SSL Profile, I get the following error:&nbsp;CLIENTSSL_HANDSHAKE event in rule (/Common/ProxyPass) requires an associated CLIENTSSL profile on the virtual server&nbsp;
&nbsp;Is there any way around this?
&nbsp;What alternatives have I got to reliably check the connection protocol?&nbsp;
&nbsp;Cheers
&nbsp;Gavin &nbsp;&nbsp;

hooleylist · Answer

Hi Gavin, 
&nbsp;  
&nbsp; If you don't have a client SSL profile enabled on the virtual server, you won't be able to use the ProxyPass iRule (or do any other HTTP processing) for HTTPS traffic. 
&nbsp;  
&nbsp; Can you clarify what you're trying to do overall? 
&nbsp;  
&nbsp; Aaron

gavinw_29074 · Answer

Hoolio&nbsp;
&nbsp;I've got several services that we serve over both HTTP and HTTPS. &nbsp;
&nbsp;I'm trying to set-up a standard deployment model using iApps which link in relevant iRules... The ProxyPass rule is one of the rules in use... &nbsp;
&nbsp;As regards what this 'proto' element is trying to achieve, I've made a tweak to the standard ProxyPass to perform a 'default' redirect if the URI being hit isn't on the allowed list... &nbsp;
&nbsp;However I don't want to redirect HTTP connections to HTTPS and vice-versa. 
&nbsp;Hence adding the 'proto' variable and using it on the HTTP::redirect command. &nbsp;
&nbsp;So if there's another reliable way of setting the relevant redirect URL, then I'm happy to tweak the rule again... &nbsp;
&nbsp;Cheers
&nbsp;Gavin &nbsp;

hooleylist · Answer

Can you try this snippet to get the protocol for HTTP and HTTPS virtuals? 
 when HTTP_REQUEST {

Hide the SSL:: command from the iRule parser
    so the iRule can be used on a non-client SSL VS
   set cipher_cmd "SSL::cipher version"

Check if the client used an SSL cipher and it's not "none"
   if {not ([catch {eval $cipher_cmd} result]) &amp;&amp; $result ne "none"}{
       Client did use a cipher
      set proto "https"
   } else {
       Client did not use a cipher
      set proto "http"
   }
}
 
 Aaron

gavinw_29074 · Answer

Aaron 
&nbsp;  
&nbsp; Great snippet there... Have added it to the ProxyPass rule and it's working a treat...  
&nbsp;  
&nbsp; Cheers again.  
&nbsp;  
&nbsp; Gavin

Forum Discussion

CLIENTSSL_HANDSHAKE without Client SSL profile???

4 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Server Profile SNI

Update your DevCentral user profile

DoS Profiles

Parsing F5 BIG-IP LTM DNS profile statistics and extracting values with Python

Bot defence profile on F5 ASM