Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
Jan 03, 2012

CLIENTSSL_HANDSHAKE without Client SSL profile???

Hi there,

 

 

I'm trying to set-up a generic ProxyPass rule to support both HTTP and HTTPS connections...

 

 

Currently, I've added the following line to the 'CLIENT_ACCEPTED' section:

 

set proto "http"

 

 

I've then added the following code block:

 

when CLIENTSSL_HANDSHAKE {
    There was a client side SSL handshake, so update the variable 
   set proto "https"
} 

 

 

I then use this to do a redirect further down:

 

 Perform the default redirect. 
  HTTP::redirect "$proto://[HTTP::host]$rurl" 

 

 

However when trying to apply this rule to a Virtual without a Client SSL Profile, I get the following error:

 

CLIENTSSL_HANDSHAKE event in rule (/Common/ProxyPass) requires an associated CLIENTSSL profile on the virtual server

 

 

Is there any way around this?

 

What alternatives have I got to reliably check the connection protocol?

 

 

Cheers

 

Gavin

 

 

  • Hi Gavin,

     

     

    If you don't have a client SSL profile enabled on the virtual server, you won't be able to use the ProxyPass iRule (or do any other HTTP processing) for HTTPS traffic.

     

     

    Can you clarify what you're trying to do overall?

     

     

    Aaron
  • Hoolio

     

     

    I've got several services that we serve over both HTTP and HTTPS.

     

     

    I'm trying to set-up a standard deployment model using iApps which link in relevant iRules... The ProxyPass rule is one of the rules in use...

     

     

    As regards what this 'proto' element is trying to achieve, I've made a tweak to the standard ProxyPass to perform a 'default' redirect if the URI being hit isn't on the allowed list...

     

     

    However I don't want to redirect HTTP connections to HTTPS and vice-versa.

     

    Hence adding the 'proto' variable and using it on the HTTP::redirect command.

     

     

    So if there's another reliable way of setting the relevant redirect URL, then I'm happy to tweak the rule again...

     

     

    Cheers

     

    Gavin

     

  • Can you try this snippet to get the protocol for HTTP and HTTPS virtuals?

    when HTTP_REQUEST {
    
        Hide the SSL:: command from the iRule parser
        so the iRule can be used on a non-client SSL VS
       set cipher_cmd "SSL::cipher version"
    
        Check if the client used an SSL cipher and it's not "none"
       if {not ([catch {eval $cipher_cmd} result]) && $result ne "none"}{
           Client did use a cipher
          set proto "https"
       } else {
           Client did not use a cipher
          set proto "http"
       }
    }
    

    Aaron
  • Aaron

     

     

    Great snippet there... Have added it to the ProxyPass rule and it's working a treat...

     

     

    Cheers again.

     

     

    Gavin