For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

seamlessfirework's avatar
seamlessfirework
Icon for Cirrostratus rankCirrostratus
Aug 22, 2024
Solved

iRule to extract SNI and forward to Virtual Server

Hey guys, Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies ...
irule
LTM
  • DanSkow's avatar
    DanSkow
    Aug 27, 2024

    This looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:

    when CLIENTSSL_CLIENTHELLO priority 100 {
if {[SSL::extensions exists -type 0]} {
  binary scan [SSL::extensions -type 0] @9a* SNI
  if {[regexp {(?i)[^a-z0-9.-]} $SNI]} {
    log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" } 
    elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} {
        virtual a 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
    elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} {
        virtual b 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
}
}

     

DanSkow's avatar
DanSkow
Icon for Cirrus rankCirrus
Aug 26, 2024

I assume you'd either have to add a binary scan event to the iRule, or change the logic from "equals fqdn.com" to "contains fqdn.com" or "ends_with fqdn.com"