Forum Discussion

seamlessfirework's avatar
seamlessfirework
Icon for Cirrostratus rankCirrostratus
Aug 22, 2024
Solved

iRule to extract SNI and forward to Virtual Server

Hey guys, Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies ...
irule
LTM
  • DanSkow's avatar
    DanSkow
    Aug 27, 2024

    This looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:

    when CLIENTSSL_CLIENTHELLO priority 100 {
if {[SSL::extensions exists -type 0]} {
  binary scan [SSL::extensions -type 0] @9a* SNI
  if {[regexp {(?i)[^a-z0-9.-]} $SNI]} {
    log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" } 
    elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} {
        virtual a 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
    elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} {
        virtual b 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
}
}

     

DanSkow's avatar
DanSkow
Icon for Cirrus rankCirrus
Aug 26, 2024

I assume you'd either have to add a binary scan event to the iRule, or change the logic from "equals fqdn.com" to "contains fqdn.com" or "ends_with fqdn.com"