0

I have a F5 Virtual Server configured with client-side https encryption, in front of a web server.

I would like this VS to manage also HTTP CONNECT requests, so that clients can request it either as a web server, or as a proxy.

That is to say, the VS should decrypt all TCP connections, but if the first TCP packet starts with "CONNECT", it should first respond HTTP 200, then wait for the next packet (that must be "client hello") and process the SSL handshake.

It is certainly possible with some iRule, but I can't easily get a solution, and I can't find any help on Internet, since F5 doc is not open. Does anyboy know how to do it ?

fxdeltombe
  • 51
  • 5

1 Answers1

1

I finally found a solution.

The VS default behavour is to process the SSL decryption right from the first TCP packet : so one must look at the first TCP packet, and, if it starts with CONNECT,

  • disable SSL decryption,
  • respond with HTTP 200,
  • then reenable SSL decryption for the "client hello" that should come right after

It works in both context :

  • in TCP context, before SSL decryption, to detect CONNECT request

  • and in HTTP context, to properly respond to the CONNECT request

    when CLIENT_ACCEPTED {     # TCP CONTEXT
    TCP::collect 7         # look at the first 7 bytes of TCP stream
}
when CLIENT_DATA {
    if { [TCP::payload] starts_with "CONNECT" } {
        SSL::disable       # disable SSL decryption
    }
}

when HTTP_REQUEST {        # HTTP CONTEXT
    if { [HTTP::method] eq "CONNECT" } {
        HTTP::respond 200  # send HTTP 200
        SSL::enable        # re-enable SSL decryption for next "client hello"
    }
}
fxdeltombe
  • 51
  • 5