Forum Discussion
Stephen_Winter
Nimbostratus
NimbostratusPool choice basec on TCP packet contents?
Hi All,
We're looking for a way to differnetiate "clients" coming to our HTTPS VIP based on the SSL Hello they send when setting up the connection. We want to send people who do not support EV certs to one pool and those that do to another.
Since it's all SSL, we can't us ethe HTTP:Header or related commands, and I'm not sure if there is any others that would work as an alternative.
Thanks.
2 Replies
- Unless you're planning on setting up SSL offloading on your BIG-IP, there isn't much information you'll be able to gather since everything will be encrypted. Are you looking to decrypt on your BIG-IP? If so, the HTTP commands would work fine.
Colin 
Stephen_WinterColin,
We are not looking to do the SSL Offloading at the moment.
In looking at some other examples in the forums, we're looking to see if the cleint we're having problems with (Quicken for MAC) has something unique in the SSL Cipher strings that we can key off of with the TCP:collect and TCP:payload commands...
Once we (hopefully) find something, I'll just add a "pool" statement to the proper spot in the If/Else, with teh non-match using the default pool.
when CLIENT_ACCEPTED {
TCP::collect 1
}
when CLIENT_DATA {
binary scan [TCP::payload] H* clientdata
log local0. "Data: $clientdata"
if { $clientdata contains "160301" } {
log local0. "Match Found from [IP::client_addr]:[TCP::client_port]"
} else {
log local0. "Match Not Found from [IP::client_addr]:[TCP::client_port]"
}
}
