Forum Discussion
Fernas
Nimbostratus
NimbostratusManipulating Hostname and SNI
Hello everyone, I have this situation: I need to access website (sitea.com), then i need the F5 replace the host and SNI by siteb.com, is it possible? We are trying to use an iRule to man...
spalande
Nacreous
NacreousThere is no in-built functionality to send SNI value in serverside TLS connection as mentioned in https://my.f5.com/manage/s/article/K41600007
But you can try with below iRule to replace HOST header and SNI value on the serverside connection. Please let us know how the testing goes.
when HTTP_REQUEST {
# Replace the host header value with siteb.com
HTTP::header replace Host "siteb.com"
set sni_value "siteb.com"
}
when SERVERSSL_CLIENTHELLO_SEND {
# SNI extension record as defined in RFC 3546/3.1
#
# - TLS Extension Type = int16( 0 = SNI )
# - TLS Extension Length = int16( $sni_length + 5 byte )
# - SNI Record Length = int16( $sni_length + 3 byte)
# - SNI Record Type = int8( 0 = HOST )
# - SNI Record Value Length = int16( $sni_length )
# - SNI Record Value = str( $sni_value )
#
# Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields
# and add the result to the SERVERSSL_CLIENTHELLO
SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
}
