HTTP Connect Proxy_helper_for_ Citrix_ Xen APP_ Server

Problem this snippet solves:

The HTTP Connect Proxy Helper iRule identifies whether a client is a PN Agent. If so, the connection is handled differently than normal Web Interface users. Among other things, the authentication credentials are received via headers and need to be passed through. This is also correlated with the APM session information.

This iRule is part of the F5 Deployment Guide "Deploying the BIG-IP APM Secure Proxy with Citrix XenAPP" which can be found in Resources section of f5.com

Please see the deployment guide for full instructions on how to install, use and configure this iRule.

Code :

# switch off SSL if this is HTTP CONNECT request
when CLIENT_ACCEPTED {
TCP::collect 7
}
when CLIENT_DATA {
if { [TCP::payload 7] equals "CONNECT" } {
SSL::disable
}
TCP::release
}
when HTTP_REQUEST {
if { [HTTP::method] equals "CONNECT" } {
# IP:port of the citrix server is passed in proxy password
set authstr [HTTP::header Proxy-Authorization]
# extract the base64 username:pass
set authstr [lindex [ split $authstr " " ] 1 ]
# b64 decode it
set authstr [b64decode $authstr]
# extract password
set authstr [ lindex [ split $authstr ":" ] 1 ]
set ipport [split $authstr "-" ]
set ip [ lindex $ipport 0 ]
set port [ lindex $ipport 1 ]
if { [matchclass CitrixAppServers equals "$ip-$port"] ne 0 } {
} else {
log local0. "Invalid IP and Port $ip-$port in CONNECT from IP [IP::client_addr]"
reject
return
}
node $ip $port
TCP::respond "HTTP/1.0 200 Connection established\r\n\r\n"
HTTP::disable discard
SSL::enable
SSL::collect
TCP::collect 7
}
}
when CLIENTSSL_DATA {
binary scan [SSL::payload] c socksver
if { $socksver != 5 } {
SSL::release
return
}
SSL::payload replace 0 [SSL::payload length] {}
if { [info exists socks_connect] } {
SSL::respond [binary format H2H2H2H2H2H2H2H2H2H2 05 00 00 01 00 00 00 00 00 00]
SSL::release
} else {
set socks_connect {}
SSL::respond [binary format H2H2 05 00]
SSL::collect
}
}