For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Thornid's avatar
Thornid
Icon for Nimbostratus rankNimbostratus
Jul 28, 2020

Help with iRule to enable SSL profile based on XFF Header

Hi all We have some apps on our F5s that will need to go behind the Silverline WAF (can't use ASM so this is our only option). Currently on the F5s we have an iRule which selects a particular clie...
application delivery
iRules
LTM
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Aug 03, 2020

You need to use SSL::renegotiate

 

As you say, you need to examine the X-Forwarded-For header, but that does not arrive until after TLS negotiation.

 

So you establish un-authenticated TLS, and then examine the XFF header, select the new TLS settings, and SSL::renegotiate

 

However, the actual endpoint from the client perspective will be Silverline, who will be terminating TLS. I don't really see how you can make this work in this context.