Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Nov 20, 2006

redirerect based on CONNECT hostname

Hi,

 

 

can anyone tell me how to get the intended recipient of an HTTPS CONNECT request in an irule. i have been assuming that there would be an HTTP::host header as part of the CONNECT method but i'm wrong, and all there is is the "CONNECT example.com" request. how can i get that hostname in the same way i would get a normal HTTP::host for non-SSL traffic?

 

 

my intention here is to just proxy the encrypted traffic where applicable, and not bother (de)encrypting it if there is no benefit, so maybe i'm heading in the wrong direction anyway, but i assume that all i'd need is the intended target of the CONNECT and chuck the request in it's direction.

 

 

Cheers

 

 

Chris
application delivery
dev
devops
iRules

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2006
    RFC2817 seems to indicate that the CONNECT method should include a Host header: (Click here)

     

     

     

    CONNECT server.example.com:80 HTTP/1.1

     

    Host: server.example.com:80

     

    Proxy-Authorization: basic aGVsbG86d29ybGQ=

     

     

     

    Do you have a client making a request where you don't see the Host header? Or does HTTP::host not return anything even with the Host header in the CONNECT request?

     

     

    Can you post the request headers for a client request?

     

     

    If the request line contains the host, you could HTTP::uri and a string (or regex) command to return the host from the URI.

     

     

    Aaron
  • Chris_Phillips's avatar
    Chris_Phillips
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2006
    well hopefully this will look ok on screen...

    using curl to test connectivity i get

    No.     Time        Source                Destination           Protocol Info 
      4 0.001195    10.224.10.100         10.224.0.11           HTTP     CONNECT sbapi.national.ncrs.nhs.uk:443 HTTP/1.0
Frame 4 (222 bytes on wire, 222 bytes captured)
Ethernet II, Src: Micro-St_6b:ec:0c (00:0c:76:6b:ec:0c), Dst: NetworkA_e0:0a:0b (00:50:5a:e0:0a:0b)
Internet Protocol, Src: 10.224.10.100 (10.224.10.100), Dst: 10.224.0.11 (10.224.0.11)
Transmission Control Protocol, Src Port: 39661 (39661), Dst Port: 8080 (8080), Seq: 1, Ack: 1, Len: 156
Hypertext Transfer Protocol
    CONNECT sbapi.national.ncrs.nhs.uk:443 HTTP/1.0\r\n
        Request Method: CONNECT
        Request URI: sbapi.national.ncrs.nhs.uk:443
        Request Version: HTTP/1.0
    User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6\r\n
    \r\n

    for an HTTPS CONNECT and for an HTTP GET:

    No.     Time        Source                Destination           Protocol Info
      9 0.009917    10.224.10.100         10.224.0.11           HTTP     GET http://sbapi.national.ncrs.nhs.uk HTTP/1.1
Frame 9 (286 bytes on wire, 286 bytes captured)
Ethernet II, Src: Micro-St_6b:ec:0c (00:0c:76:6b:ec:0c), Dst: NetworkA_e0:0a:0b (00:50:5a:e0:0a:0b)
Internet Protocol, Src: 10.224.10.100 (10.224.10.100), Dst: 10.224.0.11 (10.224.0.11)
Transmission Control Protocol, Src Port: 39662 (39662), Dst Port: 8080 (8080), Seq: 1, Ack: 1, Len: 220
Hypertext Transfer Protocol
    GET http://sbapi.national.ncrs.nhs.uk HTTP/1.1\r\n
        Request Method: GET
        Request URI: http://sbapi.national.ncrs.nhs.uk
        Request Version: HTTP/1.1
    User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6\r\n
    Host: sbapi.national.ncrs.nhs.uk\r\n
    Pragma: no-cache\r\n
    Accept: */*\r\n
    \r\n
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2006
    So it looks like the CONNECT method doesn't require the Host header then. Can you add some logging to see what you're getting for the HTTP::uri and other headers?

    
when HTTP_REQUEST {
   if { [HTTP::method] == "CONNECT" }{
      log local0. "Host: [HTTP::host]"
      log local0. "URI: [HTTP::uri]"
      set cnt 0
      foreach aHeader [HTTP::header names] {
         log local0. "h$cnt: $aHeader: [HTTP::header $aHeader]"
         incr cnt
      }
   }   
}

    [edited to just log for CONNECT requests]

    Aaron
  • Chris_Phillips's avatar
    Chris_Phillips
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2006
    yes, there is a URI header, i guess that I'm going to have to treat CONNECT's different to other standard HTTP methods?

     

     

    following from this then, is it the case that there *will* be a host header on the inside of the encrypted connection? i was hoping to not have to decrypt the data on the assumption that the host header was only going to be on the outside.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2006
    I'm not too familiar with the CONNECT method. I'd try capturing a tcpdump of a few types of client reqests and decrypt the data with ssldump to figure out exactly what's in the payload.

     

     

    I'm not sure how you would go about extracting and decrypting the SSL traffic in the payload in a rule. Can you check to see if there is anything you actually need to inspect or modify in the payload?