ltm rule command SSL forward proxy
iRule(1) BIG-IP TMSH Manual iRule(1)
SSL::forward_proxy
Sets the SSL forward proxy bypass feature to bypass or intercept, or
retrieves the forged certificate, or enables/disables/gets
verified_handshake semantics for the SSL handshake.
SYNOPSIS
SSL::forward_proxy ( (policy (bypass | intercept)?) | cert)
SSL::forward_proxy verified_handshake (enable | disable) ?
DESCRIPTION
This command sets the SSL forward proxy bypass feature to bypass or
intercept, or retrieves the forged certificate if the policy or cert
subcommands are specified. If verified-handshake subcommand is
specified, the command enables, disables or retrieves the
verified_handshake behavior for the SSL handshake.
RETURN VALUE
SSL::forward_proxy policy <[bypass] | [intercept]>
This command sets the policy of SSL Forward Proxy Bypass feature to
"bypass" or "intercept"
SSL::forward_proxy cert
Returns the X509 SSL certificate forged by the SSL forward proxy.
SSL::forward_proxy verified_handshake [ enable | disable ]
Returns the verified handshake value if no option is specified,
else sets the verified handshake to enable or disable.
VALID DURING
CLIENTSSL_SERVERHELLO_SEND CLIENT_ACCEPTED CLIENTSSL_CLIENTHELLO
SERVER_CONNECTED
EXAMPLES
when CLIENTSSL_SERVERHELLO_SEND {
log local0. 'bypassing'
SSL::forward_proxy policy bypass
}
when CLIENTSSL_SERVERHELLO_SEND {
log local0. 'intercepting'
SSL::forward_proxy policy intercept
}
when CLIENTSSL_SERVERHELLO_SEND {
set cert [SSL::forward_proxy cert]
log local0. "Cert issuer - [X509::issuer $cert]"
}
when CLIENTSSL_CLIENTHELLO {
SSL::forward_proxy verified_handshake enable
set vhs [ SSL::forward_proxy verified_handshake ]
log local0. "Set clientside SSL forward proxy verified handshake to $vhs"
}
when SERVER_CONNECTED {
SSL::forward_proxy verified_handshake enable
set vhs [ SSL::forward_proxy verified_handshake ]
log local0. "Set serverside SSL forward proxy verified handshake to $vhs"
}
HINTS
The "SSL::forward_proxy verified_handshake" command must be run on both
the client and server side of the forward proxy to configure the
verified-handshake behavior.
SEE ALSO
CHANGE LOG
@BIGIP-13.1.0.1 -- The "verified_handshake" subcommand was introduced.
@BIGIP-13.1.0 -- The "cert" subcommand was introduced. @BIGIP-11.5.0
--First introduced the command.
BIG-IP 2018-07-19 iRule(1)