Forum Discussion

Simon_Beaudoin's avatar
Simon_Beaudoin
Icon for Nimbostratus rankNimbostratus
Oct 27, 2020

Trying to achieve a specific configuration with an Irule and SSL Proxy.

Here is what we are trying to acheive to replace a Microsoft IIS Server.

Many of our client servers are note supporting TLS 1.2, So we have this webserver that acts as a proxy for them.

The IIS Server is presenting a certificate based on a hostname, Then the url requested is parsed ont the IIS server and the original client certificate is presented to the EXTERNAL website and data is exchanged through the IIS Server.

For an exemple :

Client ask for : https://iisredirect.sdswebapp.com/URL=login.decisivapps.com/oauth/token that goes to the IIS server.

IIS Server "comfort" client with it's own certificate.

Request is receveived at https://login.decisivapps.com/oauth/token from the IIS server on behalf of the client.

Then the IIS server exchanges data between them until completion.

We cannot use nodes because all those site are external.

What we've tested so far was an iRule that "works" on redirection only, but not as a proxy.

Our dev team would like to replace this IIS server without having to use nodes,datagroup or so. Only with the /URL=??? method already hardcoded on hundreds of servers.

Is there any way to achieve this ?

Thank you

1 Reply

  • > We cannot use nodes because all those site are external.

     

    You can define nodes that are external to the networks on the LTM.

     

    > Our dev team would like to replace this IIS server without having to use nodes,datagroup or so. Only with the /URL=??? method already hardcoded on hundreds of servers.

     

    It's certainly achievable, but not trivial.

     

    I'd suggest approaching F5 Professional Services to get this written.

     

    Otherwise, here is a high-level irule structure

     

    you need server-ssl profiles for all the target severs, with relevant settings and client-auth certificates

    They need to be named in a structured way so they can be correctly selected with the host name

     

    get the request URI (HTTP:uri)

    split it on "URL=", and keep the second result

    Prepend "https://" so you have a target URI for the server-side response

    Use URI::host to get the host name

    use DNS::resolve to get an IP address from the host name

    set the node using the IP address

    change the Host header in the request

    select the correct server-ssl profile based on the hostname

    allow the request to be made

    once you have a response, translate any embedded URLs as required