For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

seamlessfirework's avatar
seamlessfirework
Icon for Cirrostratus rankCirrostratus
Aug 22, 2024
Solved

iRule to extract SNI and forward to Virtual Server

Hey guys, Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies ...
irule
LTM
  • DanSkow's avatar
    DanSkow
    Aug 27, 2024

    This looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:

    when CLIENTSSL_CLIENTHELLO priority 100 {
if {[SSL::extensions exists -type 0]} {
  binary scan [SSL::extensions -type 0] @9a* SNI
  if {[regexp {(?i)[^a-z0-9.-]} $SNI]} {
    log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" } 
    elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} {
        virtual a 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
    elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} {
        virtual b 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
}
}

     

DanSkow's avatar
DanSkow
Icon for Cirrus rankCirrus
Aug 27, 2024

This looks great Lucas. Line 6 is missing the close quote. To make it map fqdn's to virtuals, I assume it would look like this:

when CLIENTSSL_CLIENTHELLO priority 100 {
if {[SSL::extensions exists -type 0]} {
  binary scan [SSL::extensions -type 0] @9a* SNI
  if {[regexp {(?i)[^a-z0-9.-]} $SNI]} {
    log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $SNI" } 
    elseif {[info exists SNI] && ($SNI equals "fqdn-a.com")} {
        virtual a 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
    elseif {[info exists SNI] && ($SNI equals "fqdn-b.com")} {
        virtual b 
        #log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $SNI]"
  }
}
}

 

seamlessfirework's avatar
seamlessfirework
Icon for Cirrostratus rankCirrostratus
Aug 28, 2024

Thanks a lot that worked great!

I added some (cosmetical) improvements. The irule VS code extension suggested to add "--" after the regexp because of argument injection. So I added it.

when CLIENTSSL_CLIENTHELLO priority 100 {
    if { [SSL::extensions exists -type 0] } {
        binary scan [SSL::extensions -type 0] @9a* client_sni
        if { [regexp -- {(?i)[^a-z0-9.-]} $client_sni] } {
            log local0. "CLIENTSSL_CLIENTHELLO client offered bogus SNI: $client_sni"
        }
    elseif { [info exists client_sni] && ($client_sni equals "fqdn-a.com") } {
        virtual a
        log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $client_sni]"
    }
    elseif { [info exists client_sni] && ($client_sni equals "fqdn-b.com") } {
        virtual b
        log local0. "CLIENTSSL_CLIENTHELLO client offered this SNI: [string tolower $client_sni]"
    }
    else { drop }
    }
}