Forum Discussion
seamlessfirework
Cirrostratus
CirrostratusiRule to extract SNI and forward to Virtual Server
Hey guys, Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies ...
This looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:
when CLIENTSSL_CLIENTHELLO priority 100 { if {[SSL::extensions exists -type 0]} { binary scan [SSL::extensions -type 0] @9a* SNI if {[regexp {(?i)[^a-z0-9.-]} $SNI]} { log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" } elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} { virtual a #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]" } elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} { virtual b #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]" } } }
DanSkow
Cirrus
CirrusThis looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:
when CLIENTSSL_CLIENTHELLO priority 100 {
if {[SSL::extensions exists -type 0]} {
binary scan [SSL::extensions -type 0] @9a* SNI
if {[regexp {(?i)[^a-z0-9.-]} $SNI]} {
log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" }
elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} {
virtual a
#log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
}
elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} {
virtual b
#log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
}
}
}
seamlessfireworkCirrostratus
CirrostratusThanks a lot that worked great!
I added some (cosmetical) improvements. The irule VS code extension suggested to add "--" after the regexp because of argument injection. So I added it.
when CLIENTSSL_CLIENTHELLO priority 100 {
if { [SSL::extensions exists -type 0] } {
binary scan [SSL::extensions -type 0] @9a* client_sni
if { [regexp -- {(?i)[^a-z0-9.-]} $client_sni] } {
log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $client_sni"
}
elseif { [info exists client_sni] && ($client_sni equals "fqdn-a.com") } {
virtual a
log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $client_sni]"
}
elseif { [info exists client_sni] && ($client_sni equals "fqdn-b.com") } {
virtual b
log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $client_sni]"
}
else { drop }
}
}
