Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Trying to achieve a specific configuration with an Irule and SSL Proxy.

Simon_Beaudoin
Nimbostratus
Nimbostratus

‎27-Oct-2020 02:28

Here is what we are trying to acheive to replace a Microsoft IIS Server.

Many of our client servers are note supporting TLS 1.2, So we have this webserver that acts as a proxy for them.

The IIS Server is presenting a certificate based on a hostname, Then the url requested is parsed ont the IIS server and the original client certificate is presented to the EXTERNAL website and data is exchanged through the IIS Server.

For an exemple :

Client ask for : https://iisredirect.sdswebapp.com/URL=login.decisivapps.com/oauth/token that goes to the IIS server.

IIS Server "comfort" client with it's own certificate.

Request is receveived at https://login.decisivapps.com/oauth/token from the IIS server on behalf of the client.

Then the IIS server exchanges data between them until completion.

We cannot use nodes because all those site are external.

What we've tested so far was an iRule that "works" on redirection only, but not as a proxy.

Our dev team would like to replace this IIS server without having to use nodes,datagroup or so. Only with the /URL=??? method already hardcoded on hundreds of servers.

Is there any way to achieve this ?

Thank you

Labels:
0 Kudos
1 REPLY 1

Simon_Blakely
F5 Employee
F5 Employee

‎01-Nov-2020 14:50

> We cannot use nodes because all those site are external.

 

You can define nodes that are external to the networks on the LTM.

 

> Our dev team would like to replace this IIS server without having to use nodes,datagroup or so. Only with the /URL=??? method already hardcoded on hundreds of servers.

 

It's certainly achievable, but not trivial.

 

I'd suggest approaching F5 Professional Services to get this written.

 

Otherwise, here is a high-level irule structure

 

you need server-ssl profiles for all the target severs, with relevant settings and client-auth certificates

They need to be named in a structured way so they can be correctly selected with the host name

 

get the request URI (HTTP:uri)

split it on "URL=", and keep the second result

Prepend "https://" so you have a target URI for the server-side response

Use URI::host to get the host name

use DNS::resolve to get an IP address from the host name

set the node using the IP address

change the Host header in the request

select the correct server-ssl profile based on the hostname

allow the request to be made

once you have a response, translate any embedded URLs as required

0 Kudos
Copyright © 2023 Khoros, LLC