Forum Discussion
Chris_Phillips
Nimbostratus
Nov 20, 2006redirerect based on CONNECT hostname
Hi,
can anyone tell me how to get the intended recipient of an HTTPS CONNECT request in an irule. i have been assuming that there would be an HTTP::host header as part of the CONNECT method but i'm wrong, and all there is is the "CONNECT example.com" request. how can i get that hostname in the same way i would get a normal HTTP::host for non-SSL traffic?
my intention here is to just proxy the encrypted traffic where applicable, and not bother (de)encrypting it if there is no benefit, so maybe i'm heading in the wrong direction anyway, but i assume that all i'd need is the intended target of the CONNECT and chuck the request in it's direction.
Cheers
Chris
5 Replies
- hoolio
Cirrostratus
RFC2817 seems to indicate that the CONNECT method should include a Host header: (Click here) - Chris_Phillips
Nimbostratus
well hopefully this will look ok on screen...No. Time Source Destination Protocol Info 4 0.001195 10.224.10.100 10.224.0.11 HTTP CONNECT sbapi.national.ncrs.nhs.uk:443 HTTP/1.0 Frame 4 (222 bytes on wire, 222 bytes captured) Ethernet II, Src: Micro-St_6b:ec:0c (00:0c:76:6b:ec:0c), Dst: NetworkA_e0:0a:0b (00:50:5a:e0:0a:0b) Internet Protocol, Src: 10.224.10.100 (10.224.10.100), Dst: 10.224.0.11 (10.224.0.11) Transmission Control Protocol, Src Port: 39661 (39661), Dst Port: 8080 (8080), Seq: 1, Ack: 1, Len: 156 Hypertext Transfer Protocol CONNECT sbapi.national.ncrs.nhs.uk:443 HTTP/1.0\r\n Request Method: CONNECT Request URI: sbapi.national.ncrs.nhs.uk:443 Request Version: HTTP/1.0 User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6\r\n \r\n
No. Time Source Destination Protocol Info 9 0.009917 10.224.10.100 10.224.0.11 HTTP GET http://sbapi.national.ncrs.nhs.uk HTTP/1.1 Frame 9 (286 bytes on wire, 286 bytes captured) Ethernet II, Src: Micro-St_6b:ec:0c (00:0c:76:6b:ec:0c), Dst: NetworkA_e0:0a:0b (00:50:5a:e0:0a:0b) Internet Protocol, Src: 10.224.10.100 (10.224.10.100), Dst: 10.224.0.11 (10.224.0.11) Transmission Control Protocol, Src Port: 39662 (39662), Dst Port: 8080 (8080), Seq: 1, Ack: 1, Len: 220 Hypertext Transfer Protocol GET http://sbapi.national.ncrs.nhs.uk HTTP/1.1\r\n Request Method: GET Request URI: http://sbapi.national.ncrs.nhs.uk Request Version: HTTP/1.1 User-Agent: curl/7.12.1 (i386-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6\r\n Host: sbapi.national.ncrs.nhs.uk\r\n Pragma: no-cache\r\n Accept: */*\r\n \r\n
- hoolio
Cirrostratus
So it looks like the CONNECT method doesn't require the Host header then. Can you add some logging to see what you're getting for the HTTP::uri and other headers?when HTTP_REQUEST { if { [HTTP::method] == "CONNECT" }{ log local0. "Host: [HTTP::host]" log local0. "URI: [HTTP::uri]" set cnt 0 foreach aHeader [HTTP::header names] { log local0. "h$cnt: $aHeader: [HTTP::header $aHeader]" incr cnt } } }
- Chris_Phillips
Nimbostratus
yes, there is a URI header, i guess that I'm going to have to treat CONNECT's different to other standard HTTP methods? - hoolio
Cirrostratus
I'm not too familiar with the CONNECT method. I'd try capturing a tcpdump of a few types of client reqests and decrypt the data with ssldump to figure out exactly what's in the payload.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects