Performing SSL Bypass for Forward Proxy Traffic based using an iRule capturing the SNI
Hey everyone!
I'm currently developing an iRule to exclude certain traffic from the "Full Proxy" Architecture by turning off the HTTP Profile and Client/Server SSL Profile for our SSL Forward Proxy. We are using the built in function in SWG but for some banking applications it still does not seem to work and the SWG's intelligence is getting in the way. We have been hit with a few bugs which we are currently resolving but in the mean time we need to have this iRule in place to create a workaround.
We would like a clean cut for some of the applications they have by adding them to a Data Group and building an iRule for this purpose.
Here is the current iRule:
when RULE_INIT {
set 1 to enable logging, 0 to disable
set static::debug 0
}
when CLIENT_ACCEPTED {
This iRule is meant to Passthrough SSL Connections for SWG in order to solve SSL issue. Based on Data Group List of IP addresses.
if { [class match [IP::local_addr] equals DG_SWG_SSL_Passthrough_IP] }
{
SSL::disable clientside
SSL::disable serverside
HTTP::disable
if {$static::debug}{log local0. "ir181017-1 - Client IP: {[IP::client_addr]} Server IP: {[IP::local_addr]}: - Match DataGroup DG_SWG_SSL_Passthrough_IP! Disabling SSL"}
}
}
when CLIENTSSL_CLIENTHELLO {
This iRule is meant to Passthrough SSL Connections for SWG in order to solve SSL issues. Based on Data Group List of FQDNs.
if {$static::debug}{log local0. "ir181017-2 - Client IP: {[IP::client_addr]} - Client Request Server SSL SNI: {[SSL::sni name]}"}
if { [class match [string tolower [SSL::sni name]] contains DG_SWG_SSL_Passthrough_FQDN] }
{
SSL::disable clientside
SSL::disable serverside
HTTP::disable
if {$static::debug}{log local0. "ir181017-3 - Client IP: {[IP::client_addr]} - Server SSL SNI: {[SSL::sni name]} - Match DataGroup DG_SWG_SSL_Passthrough_FQDN! Disabling SSL"}
}
}
The most relevant part of the iRule is the CLIENTSSL_CLIENTHELLO section. When logging the entries, we cannot see any SSL::sni in the logs. But when tcpdumping we can clearly see that there is Server Name Indication fields in the traffic.
Perhaps we are using the SSL::sni command wrong. Perhaps we can use the SSL::extension and have it return the SNI from there and we match against that instead?