Serverside SNI injection iRule

Problem this snippet solves: Hi Folks, the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depe...
Updated Jun 06, 2023
Version 2.0
devops
security
server name indication injection
sni
sni injection
Kai_Wilke's avatar
Icon for MVP rankMVP
My name is Kai Wilke and I'm working as a Principal Consultant for IT-Security at itacs GmbH - a German consulting company specialized in Microsoft Security cloud solutions, F5 customizations as well as for classic IT-Consulting. You can find additional information about me and my work here: https://devcentral.f5.com/articles/q-a-with-itacs-gmbhs-kai-wilke-devcentrals-featured-member-for-february-24890
View Profile
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Nov 28, 2018

Hi kgaigl,

the iRule uses the 

HTTP_REQUEST
event to extract the HOST-header value of the client requested ressource. This value is then used as Server_SSL SNI-Value.

If the client requests https://www.domain.com/ the Server_SSL SNI-Value will become If the client requests https://ww2.domain.com/ the Server_SSL SNI-Value will become ww2.domain.com

Note: You may use whatever logic during the 

HTTP_REQUEST
event you like to decide which SNI-Value should be used to negotiate the Server Side SSL connection.

Important: To make this iRule work you have to make sure that you dont specify a SNI-Value in your Server_SSL_Profile. This will allow the iRule to simply inject the SNI-Value without clearing existing values (aka. clearing existing values is not supported). If you set the "Server Name" option in your Server_SSL_Profile, the SSL negotiation will most likely fail...

Cheers, Kai