Trying to achieve a specific configuration with an Irule and SSL Proxy.

Question

Here is what we are trying to acheive to replace a Microsoft IIS Server.

Many of our client servers are note supporting TLS 1.2, So we have this webserver that acts as a proxy for them.

The IIS Server is presenting a certificate based on a hostname, Then the url requested is parsed ont the IIS server and the original client certificate is presented to the EXTERNAL website and data is exchanged through the IIS Server.

For an exemple :

Client ask for : https://iisredirect.sdswebapp.com/URL=login.decisivapps.com/oauth/token that goes to the IIS server.

IIS Server "comfort" client with it's own certificate.

Request is receveived at https://login.decisivapps.com/oauth/token from the IIS server on behalf of the client.

Then the IIS server exchanges data between them until completion.

We cannot use nodes because all those site are external.

What we've tested so far was an iRule that "works" on redirection only, but not as a proxy.

Our dev team would like to replace this IIS server without having to use nodes,datagroup or so. Only with the /URL=??? method already hardcoded on hundreds of servers.

Is there any way to achieve this ?

Thank you

simon_blakely · Answer

&gt; We cannot use nodes because all those site are external.&nbsp;You can define nodes that are external to the networks on the LTM.&nbsp;&gt; Our dev team would like to replace this IIS server without having to use nodes,datagroup or so. Only with the /URL=??? method already hardcoded on hundreds of servers.&nbsp;It's certainly achievable, but not trivial.&nbsp;I'd suggest approaching F5 Professional Services to get this written.&nbsp;Otherwise, here is a high-level irule structure&nbsp;you need server-ssl profiles for all the target severs, with relevant settings and client-auth certificatesThey need to be named in a structured way so they can be correctly selected with the host name&nbsp;get the request URI (HTTP:uri)split it on "URL=", and keep the second resultPrepend "https://" so you have a target URI for the server-side responseUse URI::host to get the host nameuse DNS::resolve to get an IP address from the host nameset the node using the IP addresschange the Host header in the requestselect the correct server-ssl profile based on the hostname allow the request to be madeonce you have a response, translate any embedded URLs as required

Forum Discussion

Trying to achieve a specific configuration with an Irule and SSL Proxy.

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Achieving an SSL Labs A+ score with F5 products

Achieving firewall high-availability in Azure with F5

New SSL Orchestrator Support for Netscout Appliances - How to Achieve Rich Traffic Analysis

Maintaining BIG-IP's Golden Compliance Configuration in Financial Services

F5 BIG-IP Advanced WAF – DOS profile configuration options.

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS