Forum Discussion

Malwark_334365's avatar
Malwark_334365
Icon for Nimbostratus rankNimbostratus
Sep 22, 2017

iRule assistance - Block SSL/TLS unless client already has an existing session

Hi all, very new to F5. I kind of inherited it...

 

What I'm trying to accomplish When an SSL/TLS request is initiated (maybe use CLIENTSSLL_CLIENTHELLO) see if the client has an existing session if yes allow the SSL/TLS connection. If not deny the connection.

 

Currently there is a HTTP_REQUEST redirect for our remote apps to the F5 login page which works fine and creates the session, but at present I can create the SSL connection and bypass the F5 because the request isn't HTTP/S but does start out with a SSL/TLS handshake

 

application delivery
BIG-IP
iRules

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 25, 2017

    Hi,

     

    First, change the question title, I read only today the question because of the title.

     

    I think iRule assistance and iRule help titles are questions less read.

     

    can you please describe your need. if you have an irule working and you want to change the behavior, share it!

     

    then try to explain what you expect with simple sentences and examples.

     

    when I read your description, you want to block SSL handshake for new session, and allow only handshake for existing sessions. This code will block all new requests as SSL handshake is done first.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 27, 2017

    Hi,

    I guess HTTPS logon page and TLS services are on different VS. If not, it will be more difficult because you will have to capture TCP packet first, decode it to parse binary content.

    You can create a table record with the IP address in irule assigned to APM virtual server:

    when ACCESS_POLICY_COMPLETED {
    if {[ACCESS::policy result] equals "allow"} 
        table set -subtable L4SESSION [IP::client_addr] [ ACCESS::session sid ] [PROFILE::access inactivity_timeout] [PROFILE::access max_session_timeout]
    }
}

when ACCESS_SESSION_CLOSED {
    table delete -subtable L4SESSION [IP::client_addr]
}

    Then accept connection on other VS if IP address is known

    when CLIENT_ACCEPTED {
    if {[table lookup -subtable L4SESSION [IP::client_addr]] equals ""} {
        drop
    }
}