ltm rule command SSL forward proxyΒΆ

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



SSL::forward_proxy
       Sets the SSL forward proxy bypass feature to bypass or intercept, or
       retrieves the forged certificate, or enables/disables/gets
       verified_handshake semantics for the SSL handshake.

SYNOPSIS
       SSL::forward_proxy ( (policy (bypass | intercept)?) | cert)

       SSL::forward_proxy verified_handshake (enable | disable) ?

DESCRIPTION
       This command sets the SSL forward proxy bypass feature to bypass or
       intercept, or retrieves the forged certificate if the policy or cert
       subcommands are specified. If verified-handshake subcommand is
       specified, the command enables, disables or retrieves the
       verified_handshake behavior for the SSL handshake.

RETURN VALUE
       SSL::forward_proxy policy <[bypass] | [intercept]>
	   This command sets the policy of SSL Forward Proxy Bypass feature to
       "bypass" or "intercept"

       SSL::forward_proxy cert
	   Returns the X509 SSL certificate forged by the SSL forward proxy.

       SSL::forward_proxy verified_handshake [ enable | disable ]
	   Returns the verified handshake value if no option is specified,
       else sets the verified handshake to enable or disable.

VALID DURING
       CLIENTSSL_SERVERHELLO_SEND CLIENT_ACCEPTED CLIENTSSL_CLIENTHELLO
       SERVER_CONNECTED

EXAMPLES
	when CLIENTSSL_SERVERHELLO_SEND {
	    log local0. 'bypassing'
	    SSL::forward_proxy policy bypass
	}

	when CLIENTSSL_SERVERHELLO_SEND {
	    log local0. 'intercepting'
	    SSL::forward_proxy policy intercept
	}

	when CLIENTSSL_SERVERHELLO_SEND {
	    set cert [SSL::forward_proxy cert]
	    log local0. "Cert issuer - [X509::issuer $cert]"
	}

	when CLIENTSSL_CLIENTHELLO {
	    SSL::forward_proxy verified_handshake enable
	    set vhs [ SSL::forward_proxy verified_handshake ]
	    log local0. "Set clientside SSL forward proxy verified handshake to $vhs"
	}

	when SERVER_CONNECTED {
	    SSL::forward_proxy verified_handshake enable
	    set vhs [ SSL::forward_proxy verified_handshake ]
	    log local0. "Set serverside SSL forward proxy verified handshake to $vhs"
	}

HINTS
       The "SSL::forward_proxy verified_handshake" command must be run on both
       the client and server side of the forward proxy to configure the
       verified-handshake behavior.

SEE ALSO
CHANGE LOG
       @BIGIP-13.1.0.1 -- The "verified_handshake" subcommand was introduced.
       @BIGIP-13.1.0 -- The "cert" subcommand was introduced.  @BIGIP-11.5.0
       --First introduced the command.



BIG-IP				  2018-07-19			      iRule(1)