For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Anesh's avatar
Anesh
Icon for Cirrostratus rankCirrostratus
May 10, 2017

SSL Forward proxy Bypass iRule not working

The below irule does not Bypass SSL forward proxy function for url's defined in the Bypass datagroup, it continues to re-sign with the certificate provdied by F5... when CLIENTSSL_CLIENTHELLO { ...
iRules
LTM
security
Anesh's avatar
Anesh
Icon for Cirrostratus rankCirrostratus
May 12, 2017

Below iRule works

 when CLIENT_ACCEPTED {
if { $static::DEBUG } { log local0. "in event" }
log local0. "[IP::client_addr]:[TCP::client_port]: New TCP connection to destination [IP::local_addr]:[TCP::local_port]" 

HTTP::disable
SSL::disable clientside
SSL::disable serverside
TCP::collect
set destip1 [IP::local_addr]
log local0. "$destip1"
if { (![class match $destip1 equals BypassDestIP])} 
{
virtual EgressANYVIP
}
else
{
translate address enable
translate port disable
pool BluecoatProxyPool
}

}

when CLIENT_DATA {
if { $static::DEBUG } { log local0. "in event" }
set destip [IP::local_addr]
log local0. "$destip"
binary scan [TCP::payload] c type
if { $type == 22 and (![class match $destip equals BypassDestIP])} 
{
SSL::enable clientside
SSL::enable serverside
HTTP::enable
}

TCP::release
}