SNI Based on IRule

Question

I have a requirement to set SNI based on the incoming context for every subsequent requests by same client to the same back-end server.  
&nbsp;
I have put the following in SERVERSSL_CLIENTHELLO_SEND but it looks like the event SERVERSSL_CLIENTHELLO_SEND is getting triggered for only first request and not for every subsequent request from same client.  Is there any better option available ?  
&nbsp;
log local0. "SNI : one-dev-443 : $sni"
      set sni_host $sni
      set sni_length [string length $sni_host]
      binary scan $sni_host H* sni_host_hex
      set server_tls_sni_extension "0000"
      append server_tls_sni_extension "[format %4.4X [expr { $sni_length + 5 }]]"
      append server_tls_sni_extension "[format %4.4X [expr { $sni_length + 3 }]]"
      append server_tls_sni_extension "00"
      append server_tls_sni_extension "[format %4.4X $sni_length]"
      SSL::extensions insert [binary format H* "$server_tls_sni_extension$sni_host_hex"]&nbsp;

kai_wilke · Answer

Hi Murugs,
to force an SERVERSSL_CLIENTHELLO_SEND event after each single HTTP_REQUEST event you would need to execute [LB::detach] on/after every single HTTP_REQUEST or HTTP_RESPONSE event. But this approach would hurt your overall performance and is absolutely NOT recommended...
I'd like to ask the question why do you need to do that? 
You need SNI just to select a specific SSL cert on your web server. After the Server SSL handshake is completed, you can pump as many HTTP request over the established TCP connection / SSL session without the need to further manipulate server side SNI records.
Cheers, Kai

rossvermette · Answer

How about something a little different, where you set the "tls_SNI_extension" based on what the client sends?  Something like this:
when CLIENTSSL_HANDSHAKE {
    if { [SSL::extensions exists -type 0] } then {
        set tls_sni_extension [SSL::extensions -type 0]
    } else {
        set tls_sni_extension ""
    }
}
when SERVERSSL_CLIENTHELLO_SEND {
    if { $tls_sni_extension ne "" } then {
        SSL::extensions insert $tls_sni_extension
    }
}

stanislas_piro2 · Answer

Hi,&nbsp;
Kai Wilke wrote 2 codes available in codeshare section. the one provided above by RossVermette and another to insert SNI with server side hostname (if SNI is not included by the client).&nbsp;
Client side to server side SNI relay iRule&nbsp;
Serverside SNI injection iRule&nbsp;

kai_wilke · Answer

Hi Murugs,&nbsp;
your iRule contains a old version of my SNI injection iRule. You may check out the links provided by Stanislas to get an optimized version...&nbsp;
Cheers, Kai&nbsp;

murugs_322349 · Answer

Thanks for the optimized version,  I will definitely get it implemented.  
&nbsp;
My request is how do I make the SERVERSSL_CLIENTHELLO_SEND event fired for each HTTP Request irrespective of whether the request is coming from same browser session or not. The VS has only one HTTP host attached.   &nbsp;

Forum Discussion

SNI Based on IRule

5 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Question regarding F5 Viprion Configuration Migration to VE.

Sending an HTTP request from iRule without delaying client requests

In F5 APM, how to include multiple DNS suffix?

Issue while migrating config from 4000s to r4600

Username is not filled in EdgeClient in the Modern customization

Related Content

Serverside SNI injection iRule

SNI Routing with DNS Lookup

iRule based RADIUS Client Stack

iRule based RADIUS Health Monitor Builder

Server Profile SNI

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS