SNI Routing with BIG-IP
Thanks!
Your iRule is very nice and useful if you want to combine with tactics like TLS Fingerprinting.
AFAIK, the requirement for SSL persistence profile enables inspection of the connection without requiring a clientssl profile. Normally it is used to extract the SSL session ID, but the TLS extensions is also available.
To prove that no clientssl profile is required, here's an example from my lab setup (using tmsh output).
ltm virtual test_vs {
destination 192.0.2.10:443
ip-protocol tcp
mask 255.255.255.255
persist {
ssl {
default yes
}
}
policies {
sni_routing { }
}
profiles {
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 5
}
and here's the matching policy (the screenshots in the article are inverted from my diagram, I updated the following to match the diagram).
ltm policy sni_routing {
controls { forwarding }
last-modified 2018-05-23:00:37:54
requires { client-ssl }
rules {
rule_001 {
actions {
0 {
forward
ssl-client-hello
select
virtual /Common/test_ssl_vs
}
}
conditions {
0 {
ssl-extension
ssl-client-hello
server-name
values { app1.example.com }
}
}
description sni:app1.example.com,virtual:test_ssl_vs
ordinal 2
}
rule_002 {
actions {
0 {
forward
ssl-client-hello
select
pool test_ssl
}
}
conditions {
0 {
ssl-extension
ssl-client-hello
server-name
values { app2.example.com }
}
}
description sni:app2.example.com,pool:test_ssl
ordinal 3
}
}
status published
strategy first-match
}
On version 13.1 (used above) it will show in the policy requires "client-ssl", prior to that you will see "ssl-persistence". In either version you can use the policy w/out a clientssl profile as you can see in the earlier output.
You can verify all is well by using openssl
[demo]$ echo | openssl s_client -showcerts -servername app1.example.com -connect 192.0.2.10:443 2>/dev/null |grep "subject="
subject=/CN=app1.example.com
[demo]$ echo | openssl s_client -showcerts -servername app2.example.com -connect 192.0.2.10:443 2>/dev/null |grep "subject="
subject=/CN=app2.example.com
Checking out the stats via the GUI or TMSH is helpful too.
(tmos) show /ltm policy sni_routing
---------------------------
Ltm::Policy: sni_routing
---------------------------
Virtual Server Name N/A
Status
Actions invoked : 7
Actions succeeded : 7
--------------------------------------------------
| Rule Action Invoked Succeeded
--------------------------------------------------
| rule_001 0 [forward select] 4 4
| rule_002 0 [forward select] 3 3