Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

URL Rewrite - Closes TLS session

JohnInJaxBK
Nimbostratus
Nimbostratus

‎07-Jun-2021 09:53 - last edited on ‎04-Jun-2023 20:52 by Fog

I need to rewrite the client request to a form that the server needs.

Example:

apps.svr1.oscplatform.site/rewrite/example-app-name/blah

to this:

example-app-name.apps.svr1.oscplatform.site/blah

I have a rule working using HTTP_REQUEST event.

PROBLEM:

The TLS session to the client is invalidated when I change the host. So every single call has to do TLS handshake again.

Is there a way to prevent host header change killing the TLS session?

when HTTP_REQUEST {
    #log local0. "host: [HTTP::host], uri: [HTTP::uri]"
 
 
    switch -glob [string tolower [HTTP::host]] {
        "apps.svr1.oscplatform.site" -
        "apps.svr2.oscplatform.site" -
        "apps.svr3.oscplatform.site" {
            # Example rewrite URL:
            # apps.svr1.oscplatform.site/rerwite/example-app-name/blah
			
            # Result after rule:
            # example-app-name.apps.svr1.oscplatform.site/blah
 
 
            # Removed the /rewrite/
            set svc_uri [substr [HTTP::uri] 9]
            #log local0. "svc_uri: $svc_uri"
 
 
            # Splits the remaining URI into service name and original URI.
            # systemdates-mwa/blah becomes systemdates-mwa and /blah
            set part_count [scan $svc_uri {%[^?/#]%s} svc uri]
 
 
            # If there was no original URI update it to blank.
            if { $part_count == 1 } {
                set uri ""
            }
            #log local0. "host: $svc.[HTTP::host] uri: '$uri'"
 
 
            # Set the new host value.
            HTTP::host "$svc.[HTTP::host]"
 
 
            # Update URI to the correct value.
            HTTP::uri  "$uri"
        }
    }
 
 
    # Set the value used in the SNI extension record.
    # This is used in the SSL handshake to the destination server.
    # This is how we implement SSL Bridging with a possible URL rewrite in the middle.
    set sni_value [HTTP::host]
}
 
 
when SERVERSSL_CLIENTHELLO_SEND {
    #log local0. "sni_value: $sni_value"
 
 
    # SNI extension record as defined in RFC 3546/3.1
    #
    # - TLS Extension Type       =  int16( 0 = SNI ) 
    # - TLS Extension Length     =  int16( $sni_length + 5 byte )
    # - SNI Record Length        =  int16( $sni_length + 3 byte)
    # - SNI Record Type          =   int8( 0 = HOST )
    # - SNI Record Value Length  =  int16( $sni_length )
    # - SNI Record Value         =    str( $sni_value )
    #
    # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 
    SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
}
Labels:
0 Kudos
1 REPLY 1

Nikoolayy1
MVP
MVP

‎09-Jun-2021 01:43

1.For this I am certain if it is possible but can you check the below article for bug it may give you ideas about how to rewrite the SSL SNI without iRule:

 

 

https://support.f5.com/csp/article/K05411532

 

 

 

 

 

2.General info for the F5 buid in SNI options without irules:

 

 

https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

 

 

https://support.f5.com/csp/article/K13452

 

 

 

 

 

Just a note also to rewrite URL if needed in the payload, you will need to use stream profile:

 

 

https://support.f5.com/csp/article/K39394712

0 Kudos
Copyright © 2023 Khoros, LLC