SSL Forward proxy Bypass iRule not working

Get below error when doing curl to ssl explicit forward proxy vip

* About to connect() to proxy 10.13.22.6 port 8080 (0)
*   Trying 10.13.22.6... connected
* Connected to 10.13.22.6 (10.13.22.6) port 8080 (0)
* Establish HTTP proxy tunnel to www.365online.com:443
> CONNECT www.365online.com:443 HTTP/1.1
> Host: www.365online.com:443
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/0.6.5
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connected
<
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* Unknown SSL protocol error in connection to www.365online.com:8080
* Closing connection 0

curl: (35) Unknown SSL protocol error in connection to www.365online.com:8080

This should work. Do you have the SSL Forward Proxy Bypass option enabled in the client and server SSL profiles?

Does it work for any other URL?

It works for Urls which are not part of the Bypass datagroup, but for urls within Bypass datagroup it does not work

try this:

catch { HTTP::disable }

Nope, still does not get past client hello

On of the primary issues here is timing. In your iRule, you're redirecting traffic to the bluecoat pool in the CLIENTSSL_SERVERHELLO_SEND event. Presumably you have another pool that is default for traffic.

When a client enters the SSL forward proxy VIP, he'll initiate the SSL handshake.

Client Hello

which is then paused. At that point, the server side goes out and performs a complete server side TCP connection and server side SSL handshake with the server, brings the server's cert back, and only then does the client side SSL session resume.

client side server hello send

So by the time you get to the CLIENTSSL_SERVERHELLO_SEND event, an initial server side connection has to have already left through the default path, so setting the pool in this event is too late. Try this:

when CLIENTSSL_CLIENTHELLO {
    set sni_exists [SSL::extensions exists -type 0]
    if { $sni_exists } {
        binary scan [SSL::extensions -type 0] @9a* tls_servername
    }
    if { [class match $tls_servername contains Bypass] } {
        pool bluecoat-pool
    }
}
when CLIENTSSL_SERVERHELLO_SEND {
    if { [class match $tls_servername contains Bypass] } {
        SSL::forward_proxy policy bypass
        catch { HTTP::disable }
    }
}

Below iRule works

 when CLIENT_ACCEPTED {
if { $static::DEBUG } { log local0. "in event" }
log local0. "[IP::client_addr]:[TCP::client_port]: New TCP connection to destination [IP::local_addr]:[TCP::local_port]" 

HTTP::disable
SSL::disable clientside
SSL::disable serverside
TCP::collect
set destip1 [IP::local_addr]
log local0. "$destip1"
if { (![class match $destip1 equals BypassDestIP])} 
{
virtual EgressANYVIP
}
else
{
translate address enable
translate port disable
pool BluecoatProxyPool
}

}

when CLIENT_DATA {
if { $static::DEBUG } { log local0. "in event" }
set destip [IP::local_addr]
log local0. "$destip"
binary scan [TCP::payload] c type
if { $type == 22 and (![class match $destip equals BypassDestIP])} 
{
SSL::enable clientside
SSL::enable serverside
HTTP::enable
}

TCP::release
}