SNI Based on IRule

Question

I have a requirement to set SNI based on the incoming context for every subsequent requests by same client to the same back-end server.  
&nbsp;
I have put the following in SERVERSSL_CLIENTHELLO_SEND but it looks like the event SERVERSSL_CLIENTHELLO_SEND is getting triggered for only first request and not for every subsequent request from same client.  Is there any better option available ?  
&nbsp;
log local0. "SNI : one-dev-443 : $sni"
      set sni_host $sni
      set sni_length [string length $sni_host]
      binary scan $sni_host H* sni_host_hex
      set server_tls_sni_extension "0000"
      append server_tls_sni_extension "[format %4.4X [expr { $sni_length + 5 }]]"
      append server_tls_sni_extension "[format %4.4X [expr { $sni_length + 3 }]]"
      append server_tls_sni_extension "00"
      append server_tls_sni_extension "[format %4.4X $sni_length]"
      SSL::extensions insert [binary format H* "$server_tls_sni_extension$sni_host_hex"]&nbsp;

kai_wilke · Answer

Hi Murugs,
to force an SERVERSSL_CLIENTHELLO_SEND event after each single HTTP_REQUEST event you would need to execute [LB::detach] on/after every single HTTP_REQUEST or HTTP_RESPONSE event. But this approach would hurt your overall performance and is absolutely NOT recommended...
I'd like to ask the question why do you need to do that? 
You need SNI just to select a specific SSL cert on your web server. After the Server SSL handshake is completed, you can pump as many HTTP request over the established TCP connection / SSL session without the need to further manipulate server side SNI records.
Cheers, Kai

rossvermette · Answer

How about something a little different, where you set the "tls_SNI_extension" based on what the client sends?  Something like this:
when CLIENTSSL_HANDSHAKE {
    if { [SSL::extensions exists -type 0] } then {
        set tls_sni_extension [SSL::extensions -type 0]
    } else {
        set tls_sni_extension ""
    }
}
when SERVERSSL_CLIENTHELLO_SEND {
    if { $tls_sni_extension ne "" } then {
        SSL::extensions insert $tls_sni_extension
    }
}

stanislas_piro2 · Answer

Hi,&nbsp;
Kai Wilke wrote 2 codes available in codeshare section. the one provided above by RossVermette and another to insert SNI with server side hostname (if SNI is not included by the client).&nbsp;
Client side to server side SNI relay iRule&nbsp;
Serverside SNI injection iRule&nbsp;

kai_wilke · Answer

Hi Murugs,&nbsp;
your iRule contains a old version of my SNI injection iRule. You may check out the links provided by Stanislas to get an optimized version...&nbsp;
Cheers, Kai&nbsp;

murugs_322349 · Answer

Thanks for the optimized version,  I will definitely get it implemented.  
&nbsp;
My request is how do I make the SERVERSSL_CLIENTHELLO_SEND event fired for each HTTP Request irrespective of whether the request is coming from same browser session or not. The VS has only one HTTP host attached.   &nbsp;

Forum Discussion

SNI Based on IRule

5 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

iRule redirect based on hostname

iRule assistance based on URI and source address

Redirect to different Pool based on URL

asm irule to unblock upon violation based on type

Clock based irule