Forum Discussion
Matt_May_64216
Nimbostratus
NimbostratusReading TCP:Payload from a SSL'd Virtual Server
Im trying to read the first few bytes of a incomming connection to decide where it goes. When i have a SSL Profile (Client) setup on the Virtual server the TCP::Payload returns the encrypted data. Is there a way to read the decrypted message?
when CLIENT_ACCEPTED {
TCP::collect 5
}
when CLIENT_DATA {
log "Received Client date ... [TCP::payload]"
if {[TCP::payload ] starts_with "UK" } {
pool UAT-UK
log "UK"
} elseif {[TCP::payload] starts_with "Ofex" } {
pool UAT-Ofex
log "Ofex"
} else {
log "Lookup Failed"
}
}Kind regards
Matt May
11 Replies
- Unfortunately, we don't yet have an SSL::collect, SSL::payload or an SSL_DATA event and that would be needed to inspect the unencrypted data.
One really crazy work-around would be to connect one switch port to another switch port that's in a second vlan on the front of the BigIP. Then you would create a separate virtual and route the unencrypted connection back through the second virtual where you could then inspect the unencrypted data and load-balance to the final pool. The only drawback is the added latency of going through the BigIP twice. 
Matt_May_64216Do you know if ther are any plans to include those commands in the near future?
Luckly have an older pair on site so will pass the decrypted data on and get it to process the request.
Thanks
Matt- We have been planning to add collect and release functionality to the STREAM module. I believe this could be used in conjuction with SSL to accomplish your task. Unfortunately, I can't provide you with a definite release date or version.
Brian_Gupta_115What would happen if I put a VIP in a pool?
-Brian
P.S. - I am afraid to try, but I suspect, it will be rejected by the GUI.- I don't think it will be rejected by the GUI. However, it probably won't work as you would hope. Assuming that there is a matching interface route, BIG-IP will simply try to connect to a node with the given IP. The fact that the IP matches the destination of a vip doesn't result in any special treatment. We are planning support vips as pool members in a future release.
- Brian_Gupta_115I just want to clarify... Are you saying that the following would work? (Please note this would all be configured on one BigIP, with all VIPs on the same VLAN/Interface).
1) Create a Standard VIP on port 2222. VLANEXT (Servers on VLANINT)
2) Create a pool with the VIP from step One.
3) Create a VIP that uses the clientssl profile on port 443. VLANEXT (Uses pool from step two.)
Could I then create a rule for the VIP I created in step one that does the data inspection?
Thanks,
-Brian - No, you misunderstood. BIG-IP will look for a node with the same address as the vip from step one, and it won't find one. This would work if you follow Unruley's suggestion and use a patch cable to connect one network port to another.
Brian_Herr_1028Has the ability to collect data after the SSL decryption been added since this thread was last updated? We have need of this ability to meet certain security/regulatory constraints. We are ultimately looking for an event that fires after the SSL decryption like the CLIENT_DATA does on an unencrypted socket. I hear that using the STREAM: is the answer. Is this true?- No, there haven't been any new events added to that flow yet.
The stream profile only operates on response traffic, and I suppose you can used the "STREAM_MATCHED" event as a trigger when a specific string is seen. Not sure where that falls into the serverside encryption flow, though, and many don't encrypt serverside, so YMMV.
HTH
/deb 
wmazanek_98800Yet another way to direct traffic from ssl vserver to standard vserver where payload is unencrypted is doing it by an iRule.
see http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=12453&view=topic
BR,
Witek
