Forum Discussion
seamlessfirework
Cirrostratus
CirrostratusiRule to extract SNI and forward to Virtual Server
Hey guys, Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies ...
This looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:
when CLIENTSSL_CLIENTHELLO priority 100 { if {[SSL::extensions exists -type 0]} { binary scan [SSL::extensions -type 0] @9a* SNI if {[regexp {(?i)[^a-z0-9.-]} $SNI]} { log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" } elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} { virtual a #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]" } elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} { virtual b #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]" } } }
spalande
Nacreous
NacreousSNI-based routing is easy and efficient using local traffic policy. Why complicate using iRule? Please refer below article
seamlessfireworkCirrostratus
CirrostratusThanks for your reply. Well, yes, traffic policies are easy in a way. On the other hand they feel not native to me in the BIG-IP ecosystem. I can't explain that exactly, it's very subjective. Also, configuring a traffic policy through REST is kind of complicated: create a draft, add the configuration, publish the policy. Changing an iRule is one single POST.
