Check a Virtual Server's SSL Status
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.
Short Description
A question was asked on how you filter which virtuals might have clientside/serverside profiles, or ssl without profiles as passthrough. There is nothing in the virtual object that can tell you that unless you know your naming schema and known ssl ports. But if you know all the profiles that exist, and check which are applied to your virtuals, you can discern that information. This tmsh script attempts to make sense of those details.
How to use this Code Snippet
Merge the cli script into the BIG-IP configuration, then usage is:
tmsh run cli script vip_ssl_check.tcl
Results are printed like so:
[root@ltm3:Active:Standalone] config # tmsh run cli script testtype.tcl
Virtual: ext_nerdknobs.tech_80
Client-side encrypted: false
Server-side encrypted: false
Inspection possible: true
Virtual: ext_nerdknobs.tech_443
Client-side encrypted: true
Server-side encrypted: true
Inspection possible: true
Virtual: h2test
Client-side encrypted: true
Server-side encrypted: false
Inspection possible: true
Virtual: viptest1
Client-side encrypted: false
Server-side encrypted: true
Inspection possible: true
Virtual: virtual_name3
Client-side encrypted: true
Server-side encrypted: true
Inspection possible: false
Future work could be to fold this logic into the config search tool for specific virtuals/ports, etc.
Code Snippet Meta Information
- Version: 0.1
- Coding Language: Tcl 8.4
Full Code Snippet
vip_ssl_check.tcl (Gist on GitHub)
Updated Sep 16, 2022
Version 2.0
JRahm
Admin
Admin- xuwen
Cumulonimbus
It seems that check only work on the configuration of the Common partition. I added a few lines of code to script::run to detect the configuration of all partitions.
i want to know where is the cli script filestore? i cat bigip.conf not find cli script
proc script::run {} { # Build a list of Client SSL Profiles foreach partition_config [tmsh::get_config /auth partition] { # set partition "[lindex [split $all_partitions " "] 2]" set partition "[tmsh::get_name ${partition_config}]" lappend partition_list $partition foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] { lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]" # some partion virtual use Common partition clientside-ssl, # list current partition config ltm virtual ssl profile name format is /Common/xxx # so we need to add partion name to ssl profile name, # prevent lsearch -exact $::cssl_profiles $profile_name failed lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]" } # Build a list of Server SSL Profiles foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] { lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]" lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]" } } foreach partition_name ${partition_list} { puts "Partition: $partition_name" tmsh::cd /${partition_name} # Iterate through Virtual Servers foreach virtual [tmsh::get_config /ltm virtual] { set vip_name [tmsh::get_name $virtual] foreach profile [tmsh::get_field_value $virtual profiles] { # prevent some partition use the same name ssl profile name in other partition # cause lsearch -exact $::cssl_profiles $profile_name incorrect result if { [string first "/" [tmsh::get_name $profile]] == 0 } { set profile_name [tmsh::get_name $profile] } else { set profile_name "/${partition_name}/[tmsh::get_name $profile]" } if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } { set cssl_match 1 } if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } { set sssl_match 1 } } if { [info exists cssl_match] && [info exists sssl_match] } { # Client-side & Server-side profiles print_ssl_details $vip_name true true true unset cssl_match unset sssl_match } elseif { [info exists cssl_match] } { # Client-side profile only print_ssl_details $vip_name true false true unset cssl_match } elseif { [info exists sssl_match] } { # Server-side profile only print_ssl_details $vip_name false true true unset sssl_match } elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } { # No profiles, but port 443, likely passthrough print_ssl_details $vip_name true true false } else { # No profiles or known SSL ports, likely unencrypted print_ssl_details $vip_name false false true } } puts "-----------------------------------------------" } } - xuwen
The above version cannot check the SSL issued by AS3 because it is configured under /Partition/Folder
The rough test of the following code can detect the configuration below AS3 Folderproc script::run {} { # Build a list of Client SSL Profiles foreach partition_config [tmsh::get_config /auth partition] { # set partition "[lindex [split $all_partitions " "] 2]" set partition "[tmsh::get_name ${partition_config}]" lappend partition_list $partition tmsh::cd /$partition foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] { lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]" # some partition virtual use Common partition clientside-ssl, # list current partition config ltm virtual ssl profile name format is /Common/xxx # so we need to add partition name to ssl profile name, # prevent lsearch -exact $::cssl_profiles $profile_name failed lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]" } # Build a list of Server SSL Profiles foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] { lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]" lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]" } foreach partition_folder_config [tmsh::get_config /sys folder] { set partition_folder_name [tmsh::get_name $partition_folder_config] tmsh::cd /${partition}/${partition_folder_name} foreach folder_cssl_profile [tmsh::get_config /ltm profile client-ssl] { # lappend ::cssl_profiles "[tmsh::get_name $folder_cssl_profile]" lappend ::cssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $folder_cssl_profile]" } foreach folder_sssl_profile [tmsh::get_config /ltm profile server-ssl] { # lappend ::sssl_profiles "[tmsh::get_name $folder_sssl_profile]" lappend ::sssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $sssl_profile]" } } } foreach partition_name ${partition_list} { puts "Partition: $partition_name" tmsh::cd /${partition_name} # Iterate through Virtual Servers foreach virtual [tmsh::get_config /ltm virtual] { set vip_name [tmsh::get_name $virtual] foreach profile [tmsh::get_field_value $virtual profiles] { # prevent some partition use the same name ssl profile name in other partition # cause lsearch -exact $::cssl_profiles $profile_name incorrect result if { [string first "/" [tmsh::get_name $profile]] == 0 } { set profile_name [tmsh::get_name $profile] } else { set profile_name "/${partition_name}/[tmsh::get_name $profile]" } if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } { set cssl_match 1 } if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } { set sssl_match 1 } } if { [info exists cssl_match] && [info exists sssl_match] } { # Client-side & Server-side profiles print_ssl_details $vip_name true true true unset cssl_match unset sssl_match } elseif { [info exists cssl_match] } { # Client-side profile only print_ssl_details $vip_name true false true unset cssl_match } elseif { [info exists sssl_match] } { # Server-side profile only print_ssl_details $vip_name false true true unset sssl_match } elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } { # No profiles, but port 443, likely passthrough print_ssl_details $vip_name true true false } else { # No profiles or known SSL ports, likely unencrypted print_ssl_details $vip_name false false true } } foreach partition_folder_config [tmsh::get_config /sys folder] { set current_partition_folder_name [tmsh::get_name $partition_folder_config] puts "Partition Folder: /${partition_name}/${current_partition_folder_name}" tmsh::cd /${partition_name}/${current_partition_folder_name} foreach folder_virtual [tmsh::get_config /ltm virtual] { set folder_vip_name [tmsh::get_name $folder_virtual] foreach folder_profile [tmsh::get_field_value $folder_virtual profiles] { if { [string first "/" [tmsh::get_name $folder_profile]] == 0 } { set folder_profile_name [tmsh::get_name $folder_profile] } else { set folder_profile_name "/${partition_name}/${current_partition_folder_name}/[tmsh::get_name $folder_profile]" } if { [lsearch -exact $::cssl_profiles $folder_profile_name] != -1 } { set cssl_match 1 } if { [lsearch -exact $::sssl_profiles $folder_profile_name] != -1 } { set sssl_match 1 } } if { [info exists cssl_match] && [info exists sssl_match] } { # Client-side & Server-side profiles print_ssl_details $folder_vip_name true true true unset cssl_match unset sssl_match } elseif { [info exists cssl_match] } { # Client-side profile only print_ssl_details $folder_vip_name true false true unset cssl_match } elseif { [info exists sssl_match] } { # Server-side profile only print_ssl_details $folder_vip_name false true true unset sssl_match } elseif { [lindex [split [tmsh::get_field_value $folder_virtual destination] ":"] 1] eq "https" } { # No profiles, but port 443, likely passthrough print_ssl_details $folder_vip_name true true false } else { # No profiles or known SSL ports, likely unencrypted print_ssl_details $folder_vip_name false false true } } } puts "-----------------------------------------------" } } - JRahm
oh...and cli scripts are in the /config/bigip_script.conf file.
