I have a F5 Virtual Server configured with client-side https encryption, in front of a web server.
I would like this VS to manage also HTTP CONNECT requests, so that clients can request it either as a web server, or as a proxy.
That is to say, the VS should decrypt all TCP connections, but if the first TCP packet starts with "CONNECT", it should first respond HTTP 200, then wait for the next packet (that must be "client hello") and process the SSL handshake.
It is certainly possible with some iRule, but I can't easily get a solution, and I can't find any help on Internet, since F5 doc is not open. Does anyboy know how to do it ?
I finally found a solution.
The VS default behavour is to process the SSL decryption right from the first TCP packet : so one must look at the first TCP packet, and, if it starts with CONNECT,
It works in both context :
and in HTTP context, to properly respond to the CONNECT request
when CLIENT_ACCEPTED { # TCP CONTEXT
TCP::collect 7 # look at the first 7 bytes of TCP stream
}
when CLIENT_DATA {
if { [TCP::payload] starts_with "CONNECT" } {
SSL::disable # disable SSL decryption
}
}
when HTTP_REQUEST { # HTTP CONTEXT
if { [HTTP::method] eq "CONNECT" } {
HTTP::respond 200 # send HTTP 200
SSL::enable # re-enable SSL decryption for next "client hello"
}
}