For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stephan_Manthey's avatar
Stephan_Manthey
Historic F5 Account
Nov 14, 2004

irule to insert a client-cert into a proxy-request

we want to use the big-ip to act as a   https-proxy that inserts a client-cert   to request a server via another proxy.   can this be solved by in irule?   the issue here from my...
application delivery
dev
devops
iRules
unRuleY_95363's avatar
unRuleY_95363
Historic F5 Account
Nov 22, 2004
We have had a hard time figuring out exactly what you are trying to solve. So, I suggest we try to break apart the problem into some smaller pieces.

So, let's first discuss the proxy part of this. I think that you are asking for help on writing a rule that parses the "connect" of a proxy-tunneled ssl request. The format of this type of request is:

connect HTTP/1.0

User-Agent: foo

So, the rule must first parse the proxy connect header, before passing the request on to the SSL layer. In this example, we always terminate uri requests to port 443 but not other ports. This can additionally be modified to pass encrypted data through to the node depending on the uri (see the SSL::disable command which disables SSL termination and/or re-encryption). 

       
       rule proxy-connect {       
          when CLIENT_ACCEPTED {       
             set proxied 0       
             TCP::collect       
          }       
          when CLIENT_DATA {       
             binary scan [TCP::payload] a* request       
             set req_len [string first "\r\n\r\n" $request]       
             if { $req_len == -1 } {       
                 Couldn't find the complete request, must not have it all yet       
                TCP::collect       
                return       
             }       
              include the closing  in the request length      
             set request [string range $request 0 $req_len]       
             incr req_len 4       
              
              Save the URI, port, version and headers       
             if { not [regexp -nocase "^CONNECT (.+)(?::(\d+)) (HTTP/1\.[01])\r?\n(.*)$" $request -> uri port version headers] } {       
                 Not a proxy connect request, just release the data       
                 (could also reject the connection here using "reject")       
                TCP::release       
                return       
             }       
              
             if { $port != 443 } {       
                 Don't SSL terminate connect requests to non-443 ports       
                SSL::disable       
             }       
              
              Remember that we found a "CONNECT" request       
             set proxied 1       
              
              Remove the connect request header       
             TCP::payload replace 0 $req_len {}       
                   
              If name resolution is needed on the uri use the NAME::lookup cmd like so:       
             NAME::lookup [URI::host $uri]       
          }       
          when NAME_RESOLVED {       
              Use the resolved uri's address       
             node [NAME::response] $port       
             TCP::release       
          }       
          when SERVER_CONNECTED {       
             if { $proxied } {       
                clientside { TCP::respond "$version 200 Connection Established\r\nProxy-Agent: BigIP v9\r\n\r\n" }       
             }       
          }       
       }

Note: this rule has not be tested.