iRule to extract SNI and forward to Virtual Server
Hey guys,
Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies are a bit nasty to configure. Anyways, I deployed this simple iRule
when CLIENTSSL_CLIENTHELLO priority 100 {
set sni [SSL::extensions -type 0]
log local0. "Client SNI: $sni"
if { $sni equals "fqdn.com" } {
virtual vs-https443-fqdn.com
} else {
drop
}
}
The log says this
<CLIENTSSL_CLIENTHELLO>: Client SNI: �����������fqdn.com
The forwarding does not work. I think it's binary. I was able to trim away these characters
set sni [string range [SSL::extensions -type 0] 9 end]
and the forwarding worked out. I thought I had to trim 10 characters (indexing starts with 0, not 1) but I had to use 9 because the first character of the FQDN has been removed. Any ideas on this?
However, it works. What would be your approach to solve this? And lastly is there a possibility to decode the binary stuff?
This looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:
when CLIENTSSL_CLIENTHELLO priority 100 { if {[SSL::extensions exists -type 0]} { binary scan [SSL::extensions -type 0] @9a* SNI if {[regexp {(?i)[^a-z0-9.-]} $SNI]} { log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" } elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} { virtual a #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]" } elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} { virtual b #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]" } } }