Serverside SNI injection iRule

Problem this snippet solves: Hi Folks, the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depe...
Updated Jun 06, 2023
Version 2.0
devops
security
server name indication injection
sni
sni injection
Kai_Wilke's avatar
Icon for MVP rankMVP
My name is Kai Wilke and I'm working as a Principal Consultant for IT-Security at itacs GmbH - a German consulting company specialized in Microsoft Security cloud solutions, F5 customizations as well as for classic IT-Consulting. You can find additional information about me and my work here: https://devcentral.f5.com/articles/q-a-with-itacs-gmbhs-kai-wilke-devcentrals-featured-member-for-february-24890
View Profile
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 25, 2019

Hi Kay,

Actually Server Name can be enabled, it just has to be empty. Wonder why not use something like that in SERVERSSL_CLIENTHELLO_SEND:

clientside {
   set sni_value [getfield [HTTP::host] ":" 1]
   log local0. "SNI should be: \"$sni_value\""
}

I know that TCL error ("{badEventContext {command is not valid in current event context (SERVER_CONNECTED)} is generated when saving iRule but according to support as long as you are actually processing HTTP at clientside this will work without issue - and indeed it works for me.

Any comments why not to use?

Piotr