16-Sep-2022 11:32 - edited 16-Sep-2022 12:57
A question was asked on how you filter which virtuals might have clientside/serverside profiles, or ssl without profiles as passthrough. There is nothing in the virtual object that can tell you that unless you know your naming schema and known ssl ports. But if you know all the profiles that exist, and check which are applied to your virtuals, you can discern that information. This tmsh script attempts to make sense of those details.
Merge the cli script into the BIG-IP configuration, then usage is:
tmsh run cli script vip_ssl_check.tcl
Results are printed like so:
[root@ltm3:Active:Standalone] config # tmsh run cli script testtype.tcl
Virtual: ext_nerdknobs.tech_80
Client-side encrypted: false
Server-side encrypted: false
Inspection possible: true
Virtual: ext_nerdknobs.tech_443
Client-side encrypted: true
Server-side encrypted: true
Inspection possible: true
Virtual: h2test
Client-side encrypted: true
Server-side encrypted: false
Inspection possible: true
Virtual: viptest1
Client-side encrypted: false
Server-side encrypted: true
Inspection possible: true
Virtual: virtual_name3
Client-side encrypted: true
Server-side encrypted: true
Inspection possible: false
Future work could be to fold this logic into the config search tool for specific virtuals/ports, etc.
vip_ssl_check.tcl (Gist on GitHub)
It seems that check only work on the configuration of the Common partition. I added a few lines of code to script::run to detect the configuration of all partitions.
i want to know where is the cli script filestore? i cat bigip.conf not find cli script
proc script::run {} {
# Build a list of Client SSL Profiles
foreach partition_config [tmsh::get_config /auth partition] {
# set partition "[lindex [split $all_partitions " "] 2]"
set partition "[tmsh::get_name ${partition_config}]"
lappend partition_list $partition
foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
# some partion virtual use Common partition clientside-ssl,
# list current partition config ltm virtual ssl profile name format is /Common/xxx
# so we need to add partion name to ssl profile name,
# prevent lsearch -exact $::cssl_profiles $profile_name failed
lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
}
# Build a list of Server SSL Profiles
foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
}
}
foreach partition_name ${partition_list} {
puts "Partition: $partition_name"
tmsh::cd /${partition_name}
# Iterate through Virtual Servers
foreach virtual [tmsh::get_config /ltm virtual] {
set vip_name [tmsh::get_name $virtual]
foreach profile [tmsh::get_field_value $virtual profiles] {
# prevent some partition use the same name ssl profile name in other partition
# cause lsearch -exact $::cssl_profiles $profile_name incorrect result
if { [string first "/" [tmsh::get_name $profile]] == 0 } {
set profile_name [tmsh::get_name $profile]
} else {
set profile_name "/${partition_name}/[tmsh::get_name $profile]"
}
if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
set cssl_match 1
}
if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
set sssl_match 1
}
}
if { [info exists cssl_match] && [info exists sssl_match] } {
# Client-side & Server-side profiles
print_ssl_details $vip_name true true true
unset cssl_match
unset sssl_match
} elseif { [info exists cssl_match] } {
# Client-side profile only
print_ssl_details $vip_name true false true
unset cssl_match
} elseif { [info exists sssl_match] } {
# Server-side profile only
print_ssl_details $vip_name false true true
unset sssl_match
} elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
# No profiles, but port 443, likely passthrough
print_ssl_details $vip_name true true false
} else {
# No profiles or known SSL ports, likely unencrypted
print_ssl_details $vip_name false false true
}
}
puts "-----------------------------------------------"
}
}
The above version cannot check the SSL issued by AS3 because it is configured under /Partition/Folder
The rough test of the following code can detect the configuration below AS3 Folder
proc script::run {} {
# Build a list of Client SSL Profiles
foreach partition_config [tmsh::get_config /auth partition] {
# set partition "[lindex [split $all_partitions " "] 2]"
set partition "[tmsh::get_name ${partition_config}]"
lappend partition_list $partition
tmsh::cd /$partition
foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
# some partition virtual use Common partition clientside-ssl,
# list current partition config ltm virtual ssl profile name format is /Common/xxx
# so we need to add partition name to ssl profile name,
# prevent lsearch -exact $::cssl_profiles $profile_name failed
lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
}
# Build a list of Server SSL Profiles
foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
}
foreach partition_folder_config [tmsh::get_config /sys folder] {
set partition_folder_name [tmsh::get_name $partition_folder_config]
tmsh::cd /${partition}/${partition_folder_name}
foreach folder_cssl_profile [tmsh::get_config /ltm profile client-ssl] {
# lappend ::cssl_profiles "[tmsh::get_name $folder_cssl_profile]"
lappend ::cssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $folder_cssl_profile]"
}
foreach folder_sssl_profile [tmsh::get_config /ltm profile server-ssl] {
# lappend ::sssl_profiles "[tmsh::get_name $folder_sssl_profile]"
lappend ::sssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $sssl_profile]"
}
}
}
foreach partition_name ${partition_list} {
puts "Partition: $partition_name"
tmsh::cd /${partition_name}
# Iterate through Virtual Servers
foreach virtual [tmsh::get_config /ltm virtual] {
set vip_name [tmsh::get_name $virtual]
foreach profile [tmsh::get_field_value $virtual profiles] {
# prevent some partition use the same name ssl profile name in other partition
# cause lsearch -exact $::cssl_profiles $profile_name incorrect result
if { [string first "/" [tmsh::get_name $profile]] == 0 } {
set profile_name [tmsh::get_name $profile]
} else {
set profile_name "/${partition_name}/[tmsh::get_name $profile]"
}
if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
set cssl_match 1
}
if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
set sssl_match 1
}
}
if { [info exists cssl_match] && [info exists sssl_match] } {
# Client-side & Server-side profiles
print_ssl_details $vip_name true true true
unset cssl_match
unset sssl_match
} elseif { [info exists cssl_match] } {
# Client-side profile only
print_ssl_details $vip_name true false true
unset cssl_match
} elseif { [info exists sssl_match] } {
# Server-side profile only
print_ssl_details $vip_name false true true
unset sssl_match
} elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
# No profiles, but port 443, likely passthrough
print_ssl_details $vip_name true true false
} else {
# No profiles or known SSL ports, likely unencrypted
print_ssl_details $vip_name false false true
}
}
foreach partition_folder_config [tmsh::get_config /sys folder] {
set current_partition_folder_name [tmsh::get_name $partition_folder_config]
puts "Partition Folder: /${partition_name}/${current_partition_folder_name}"
tmsh::cd /${partition_name}/${current_partition_folder_name}
foreach folder_virtual [tmsh::get_config /ltm virtual] {
set folder_vip_name [tmsh::get_name $folder_virtual]
foreach folder_profile [tmsh::get_field_value $folder_virtual profiles] {
if { [string first "/" [tmsh::get_name $folder_profile]] == 0 } {
set folder_profile_name [tmsh::get_name $folder_profile]
} else {
set folder_profile_name "/${partition_name}/${current_partition_folder_name}/[tmsh::get_name $folder_profile]"
}
if { [lsearch -exact $::cssl_profiles $folder_profile_name] != -1 } {
set cssl_match 1
}
if { [lsearch -exact $::sssl_profiles $folder_profile_name] != -1 } {
set sssl_match 1
}
}
if { [info exists cssl_match] && [info exists sssl_match] } {
# Client-side & Server-side profiles
print_ssl_details $folder_vip_name true true true
unset cssl_match
unset sssl_match
} elseif { [info exists cssl_match] } {
# Client-side profile only
print_ssl_details $folder_vip_name true false true
unset cssl_match
} elseif { [info exists sssl_match] } {
# Server-side profile only
print_ssl_details $folder_vip_name false true true
unset sssl_match
} elseif { [lindex [split [tmsh::get_field_value $folder_virtual destination] ":"] 1] eq "https" } {
# No profiles, but port 443, likely passthrough
print_ssl_details $folder_vip_name true true false
} else {
# No profiles or known SSL ports, likely unencrypted
print_ssl_details $folder_vip_name false false true
}
}
}
puts "-----------------------------------------------"
}
}