For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
Jan 03, 2012

CLIENTSSL_HANDSHAKE without Client SSL profile???

Hi there,

 

 

I'm trying to set-up a generic ProxyPass rule to support both HTTP and HTTPS connections...

 

 

Currently, I've added the following line to the 'CLIENT_ACCEPTED' section:

 

set proto "http"

 

 

I've then added the following code block:

 

when CLIENTSSL_HANDSHAKE {
    There was a client side SSL handshake, so update the variable 
   set proto "https"
}

 

 

I then use this to do a redirect further down:

 

 Perform the default redirect. 
  HTTP::redirect "$proto://[HTTP::host]$rurl"

 

 

However when trying to apply this rule to a Virtual without a Client SSL Profile, I get the following error:

 

CLIENTSSL_HANDSHAKE event in rule (/Common/ProxyPass) requires an associated CLIENTSSL profile on the virtual server

 

 

Is there any way around this?

 

What alternatives have I got to reliably check the connection protocol?

 

 

Cheers

 

Gavin

 

 

application delivery
dev
devops
iRules

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 03, 2012
    Hi Gavin,

     

     

    If you don't have a client SSL profile enabled on the virtual server, you won't be able to use the ProxyPass iRule (or do any other HTTP processing) for HTTPS traffic.

     

     

    Can you clarify what you're trying to do overall?

     

     

    Aaron
  • GavinW_29074's avatar
    GavinW_29074
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2012
    Hoolio

     

     

    I've got several services that we serve over both HTTP and HTTPS.

     

     

    I'm trying to set-up a standard deployment model using iApps which link in relevant iRules... The ProxyPass rule is one of the rules in use...

     

     

    As regards what this 'proto' element is trying to achieve, I've made a tweak to the standard ProxyPass to perform a 'default' redirect if the URI being hit isn't on the allowed list...

     

     

    However I don't want to redirect HTTP connections to HTTPS and vice-versa.

     

    Hence adding the 'proto' variable and using it on the HTTP::redirect command.

     

     

    So if there's another reliable way of setting the relevant redirect URL, then I'm happy to tweak the rule again...

     

     

    Cheers

     

    Gavin

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 04, 2012
    Can you try this snippet to get the protocol for HTTP and HTTPS virtuals? 

    when HTTP_REQUEST {

    Hide the SSL:: command from the iRule parser
    so the iRule can be used on a non-client SSL VS
   set cipher_cmd "SSL::cipher version"

    Check if the client used an SSL cipher and it's not "none"
   if {not ([catch {eval $cipher_cmd} result]) && $result ne "none"}{
       Client did use a cipher
      set proto "https"
   } else {
       Client did not use a cipher
      set proto "http"
   }
}

    Aaron
  • GavinW_29074's avatar
    GavinW_29074
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2012
    Aaron

     

     

    Great snippet there... Have added it to the ProxyPass rule and it's working a treat...

     

     

    Cheers again.

     

     

    Gavin