Forum Discussion

F5-Geek's avatar
F5-Geek
Icon for Nimbostratus rankNimbostratus
Sep 18, 2018

Irule help

To create a irule to create a client ssl profile and server ssl profile on Virtual server using SNI with a wildcard certificate with SAN.

 

This virtual server would used for different environmet such as abc1.com,abc2.com,abc3.com

 

when the client send sends the request to the virtual server, get the servername and assign it to the client profile When Client-ssl hello

 

forexample abc1.com client-ssl-profile-abc servername abc1.com abc2.com client-ssl-profile-abc servername abc2.com abc3.com client-ssl-profile-abc servername abc3.com

 

When the request goes to server side

 

At server ssl profile

 

abc1.com to replaced to abcsecure1.com

 

forexample abcsecure1.com server-ssl-profile-abc servername abcsecure1.com abcsecure2.com server-ssl-profile-abc servername abcsecure2.com abcsecure3.com server-ssl-profile-abc servername abcsecure3.com

 

3 Replies

  • Is the below irule-going to work

    when HTTP_REQUEST {

    set hostname HTTP::header replace Host "[class match -value [SSL:extension sni name ] equals "hostgroup"]" 
    

    } when SERVERSSL_CLIENTHELLO_SEND { set bin [binary format S1S1S1S1ca* 0 [expr [string length $hostname] + 5] [expr [string length $hostname] + 3] 0 [string length $hostname] $hostname] SSL::extensions insert $bin }

    datagroup string abc1.com=abcsecure1.com abc2.com=abcsecure1.com

  • Hi,

    Find below irule you need.

    when HTTP_REQUEST {
    
    set abc1 0
    set abc2 0
    set abc3 0
    
    
    switch -glob [string tolower [HTTP::host]] {
        " abc1.com" {
            set abc1 1
            HTTP::header replace Host "abcsecure1.com"
        }
        " abc2.com" {
            set abc2 1
            HTTP::header replace Host "abcsecure2.com"
        }
        " abc3.com" {
            set abc3 1
            HTTP::header replace Host "abcsecure3.com"
        }
        default {
             do nothing
        }
      }
    }
    
    
    
    when SERVER_CONNECTED {
    
    if {$abc1} {
        SSL::enable serverside
        SSL::profile server-ssl-profile-abc1
    } elseif {$abc2} {
        SSL::enable serverside
        SSL::profile server-ssl-profile-abc2
    } elseif {$abc3} {
        SSL::enable serverside
        SSL::profile server-ssl-profile-abc3
    } else {
        SSL::enable serverside
        SSL::profile serverssl-insecure-compatible
    
    }
    }
    

    As you can noticed I set you a differente ssl server profile depending hostname you entered. is just an example.

    You can set the same if wanted.

    regards,

  • Hi,

     

    This code won’t work

     

    set hostname HTTP::header replace Host "[class match -value [SSL:extension sni name ] equals "hostgroup"]" 

    May be this one

     

    set hostname [HTTP::header replace Host "[class match -value [SSL:extension sni name ] equals "hostgroup"]" ]    

    I’m not sure [SSL:extension sni name ] works in HTTP_REQUEST event. You may catch it in CLIENTSSL_CLIENTHELLO, and change the host header in HTTP_REQUEST

     

    when CLIENTSSL_CLIENTHELLO {
        set hostname [class match -value [SSL:extension sni name ] equals "hostgroup"]
    }
    
    when HTTP_REQUEST {
        HTTP::header replace Host $hostname
    }
    when SERVERSSL_CLIENTHELLO_SEND {   
        set bin [binary format S1S1S1S1ca* 0 [expr [string length $hostname] + 5] [expr [string length $hostname] + 3] 0 [string length $hostname] $hostname]   
        SSL::extensions insert $bin 
    }