Cloud Native应用交付

  • 首页
  • 关于本站
  • 个人介绍
  • Downloads
  • Repo
    • Github
    • Container
  • F5
    • F5 Python SDK
    • F5-container
    • F5-LBaaS
  • 社交
    • 联系我
    • 微信/微博
    • 公众号
    • 打赏赞助
行至水穷处 坐看云起时
Cloud Native Application Services: cnadn.net
  1. 首页
  2. F5-Tech tips
  3. 正文

F5 SSL forward proxy

2015年08月19日 31046点热度 2人点赞 0条评论

如果一个企业希望当用户访问任意SSL加密的数据时也能监控其内容的话,同时又希望用户不要觉察到TA可能在被监控(至少对于绝大部分普通用户来说),可以考虑使用SSL forward proxy。该功能的基本原理类似于前段时间某强大的传说中的火墙干的那样,当请求通过时候,实时on-fly签发一张让用户感觉不到的server证书,这样客户端SSL实际是和中间设备(F5)在通信,F5在server侧模拟充当普通客户与实际网站通信,从而实现数据解密。

对于F5来说,其实际通信过程如下:

  1. client 发起 client hello 到VIP
  2. F5 vip接到该client hello后在client侧暂时hold住,不处理
  3. 同时在server侧发起一个新的SSL会话,通过该会话获得实际服务器的server证书
  4. 利用server证书里的一些关键信息(CN或者SAN),通过在F5上配置的一个CA实时签发一张关于该server的证书
  5. F5在client侧回复server hello,以及实时签发的证书给client,最后client侧SSL会话建立
  6. client 发送实际数据,F5可以看到该实际数据
  7. F5在server侧利用server侧的SSL会话重新封装数据

如果此时并不想对所有网站都进行这样处理,比如对到一些敏感网站(例如个人网银等)请求,则需要对这些网站进行bypass,所谓bypass就是不让F5获得敏感数据,F5将执行类似纯数据包转发,这个bypass情形的过程如下(假设需求是:缺省截取但对部分网站bypass):

 

  1. client 发起 client hello 到VIP
  2. F5 vip接到该client hello后在client侧暂时hold住,不处理
  3. 同时在server侧发起一个新的SSL会话,通过该会话获得实际服务器的server证书
  4. 利用server证书里的一些关键信息(CN或者SAN)或L3、4层信息,查找匹配bypass列表,然后执行下面蓝色或者红色的过程:
  5. 如果发现匹配,则重新建立一个新TCP连接,将第1步收到的client hello转发给server,后续client和server间的数据,F5只做简单转发。
  6. 如果没有发现匹配,则执行下面的 7-10过程
  7. 利用server证书里的一些关键信息,通过在F5上配置的一个CA实时签发一张关于该server的证书
  8. F5在client侧回复server hello,以及实时签发的证书给client,最后client侧SSL会话建立
  9. client 发送实际数据,F5可以看到该实际数据
  10. F5在server侧利用server侧的SSL会话重新封装数据

配置方法:

1.配置一个client ssl profile,启用ssl forward proxy:

蓝色是必配部分,而且如果要做的完美(客户端不容易发现的话,这里的CA是关键,得用浏览器能认得)

红色部分为当需要bypass时配置,其中可以配置根据多重条件bypass,具体看在线帮助,配置选项可以直接选择调用data group配置。

2. 配置一个server ssl profile,同样启用ssl forward proxy,另外如果启用bypass的,则必须在client和server 这两个SSL profile中同时启用。

 

测试效果:

1。没有被bypass,即可以观察明文数据情形:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
root@ubuntu-jmeter:/home/mycisco# openssl s_client -connect www.salesforce.com:443 -tls1 -showcerts
CONNECTED(00000003)
depth=1 C = US, ST = F5, L = F5, O = F5, OU = F5, CN = *.*.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Salesforce.com, Inc./OU=Network/CN=www.salesforce.com
   i:/C=US/ST=F5/L=F5/O=F5/OU=F5/CN=*.*.com
-----BEGIN CERTIFICATE-----
MIIESDCCAzCgAwIBAgIIVdRE42Zx7NMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkY1MQswCQYDVQQHEwJGNTELMAkGA1UEChMCRjUxCzAJ
BgNVBAsTAkY1MRAwDgYDVQQDFAcqLiouY29tMB4XDTE1MDgxODA4NTcwN1oXDTE1
MDkxODA4NTcwN1owgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNv
bSwgSW5jLjEQMA4GA1UECxQHTmV0d29yazEbMBkGA1UEAxQSd3d3LnNhbGVzZm9y
Y2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxQP5IrzYicGd
cVDYp1nplorSElQfGBkE8I+9TLmD6iCxl7gKdqVYaF9FQujyhmSUitHR52YRyCha
CjnJ2/wpzyiew/Ny3azXRRfEZTMPhYArruSNhGd8u1KRUfFWG2BPjWQgq5NVOxRH
XJKiZ+3WGd1KlSqpVT9iY+qCThMw92HLH3eZdfGbskr7qqTOu6O8Hgy01IGVpg4l
6VtbJwOosRFIiRRemvRXWPX8X3fOVoc5GmYsuP1UtQCzpHkc3yXk51S9xmIZ41C1
cywoUZUNNQXF+hWFM1pDz1s7LjW8h5rcdx6UN5QixhIs8SRPc8hhDIRPPyIfDG4f
id1dIEhGgQIDAQABo4HpMIHmMIHYBgNVHREEgdAwgc2CEnd3dy5zYWxlc2ZvcmNl
LmNvbYIOc2FsZXNmb3JjZS5jb22CDnNmZGNzdGF0aWMuY29tggtjaGF0dGVyLmNv
bYIJZm9yY2UuY29tgghkYXRhLmNvbYIQKi5zZmRjc3RhdGljLmNvbYINKi5jaGF0
dGVyLmNvbYILKi5mb3JjZS5jb22CCiouZGF0YS5jb22CCCouZG8uY29tggZkby5j
b22CEGMuc2FsZXNmb3JjZS5jb22CF29yaWdpbi1jLnNhbGVzZm9yY2UuY29tMAkG
A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAB3xkIDZKfDST+sXIdeOd1spl0vP
iGBUhpRx6l8HC7X3KohX4EwEm+ls4gY/dcpudc1hRB/Sh438KcwogHRWrPchiFVm
bKAXlVeW1aUmhya3Zqooi+qaA/TEe0r861k339ZGnwyqtpqSd9GnbSwvGyukTVcM
NzyRfYzBRzeGWOTYEJrrUhzxEF7pwjrokYPbKk5lyiuKOfMcD5UFDxK3qtr5+96h
/+fKObwRGtpnwiJd4kpXv6vvd12LbU/EdkPD2gNO1PSeq+NiyZhb/uTCFai6S+19
bHl3ZaaLQJToLLiuWrmnmiMxKU33WD+JK8q9bGX4cLLiSZiTwGiYW7zVlFA=
-----END CERTIFICATE-----
1 s:/C=US/ST=F5/L=F5/O=F5/OU=F5/CN=*.*.com
   i:/C=US/ST=F5/L=F5/O=F5/OU=F5/CN=*.*.com
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIECpaE6zANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCRjUxCzAJBgNVBAcTAkY1MQswCQYDVQQKEwJGNTELMAkGA1UE
CxMCRjUxEDAOBgNVBAMUByouKi5jb20wHhcNMTUwODE5MDcyOTQ3WhcNMTYwODE4
MDcyOTQ3WjBTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCRjUxCzAJBgNVBAcTAkY1
MQswCQYDVQQKEwJGNTELMAkGA1UECxMCRjUxEDAOBgNVBAMUByouKi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVjXf8woBn8Nl1AGc07qTkwiel
p3d31tTDRBGi0hXBnMni9xGf3K58uITnrunpJvUctM1UYiENzbuiTbK6CN43sDfZ
YxXDNmEpOExX1AsOala8Luatl+NVLMLBkQIjjKXwiOn+fGhbwqN9Puh2pTRnet32
AZ9D9U+G4tytDgqLwR4EXlPNXMa1Hicv9Y4hQUULaCdgez5szSWvCsk2/SA6NLsC
tiu1aTT30o52CBFK3L/KCtf3b0S98bS/ZKu5Pp4eryZnmqOrtAMRL2iXIIKDKsu5
uPg7aG9OT78t9LN+Jd10UXzF8/WPhpK+iY122JwHrKlg2tPRtXXeybkb33DhAgMB
AAEwDQYJKoZIhvcNAQELBQADggEBAFgYuj9PcRu24YaqJ4O46w/fK7jflSxsNAvn
8eX+5stXaTY4zq4m1iUBMwpE0qzaV+2wAG8B9bHoANwqyKjdctKcUjc35rco01/S
qYtBUT54k4HeIQMozu3NF2Zhu41bLAO6lzOQd6z+N2Ysp+nwTYVL8IpJNaNWkjZb
fSa6BXGTW9PqAccoSdx4M+aLX2YkXEovJt5McEkwKr7iTFOwmVZjMbNWXrrCg2Yc
drzeClIqbYf8zmsZZLJUMeD2Lrst8zfr62OnWGkCl+V8i51fBNxdp4EZxE0z5UzC
kbvmQDF+ja+tim7/Fr5pGAwwEgkk9zkJbcJovwcM6zdl/SwzbJ0=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=Salesforce.com, Inc./OU=Network/CN=www.salesforce.com
issuer=/C=US/ST=F5/L=F5/O=F5/OU=F5/CN=*.*.com
---
No client certificate CA names sent
---
SSL handshake has read 2608 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 5906A738CBFC57B07ACBE0BDB30C51740053406E4090642EB68FF106BEE40418
    Session-ID-ctx:
    Master-Key: 6900D98D17C3784970CE7943B8429566415DAE2915D1E3DC0192356DF602AE7126361A6C3B2585166972B9A057E871D8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1439974625
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

注意看上述最后的证书是F5自己签发的:

1
2
3
Server certificate
subject=/C=US/ST=California/L=San Francisco/O=Salesforce.com, Inc./OU=Network/CN=www.salesforce.com
issuer=/C=US/ST=F5/L=F5/O=F5/OU=F5/CN=*.*.com

 

2. Bypass情形,即客户端看到实际真实server证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
root@ubuntu-jmeter:/home/mycisco# openssl s_client -connect devcentral.f5.com:443 -tls1 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/O=F5 Networks Inc/businessCategory=Private Organization/serialNumber=601692492/CN=f5.com
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M
-----BEGIN CERTIFICATE-----
MIIHYzCCBkugAwIBAgIEVMwsYzANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDE0IEVudHJ1c3Qs
IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwGA1UEAxMlRW50cnVz
dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxTTAeFw0xNTA3MjcxNjM5MzJa
Fw0xNjA3MjgwNjMzNDlaMIHEMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
Z3RvbjEQMA4GA1UEBxMHU2VhdHRsZTETMBEGCysGAQQBgjc8AgEDEwJVUzEbMBkG
CysGAQQBgjc8AgECEwpXYXNoaW5ndG9uMRgwFgYDVQQKEw9GNSBOZXR3b3JrcyBJ
bmMxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwk2MDE2
OTI0OTIxDzANBgNVBAMTBmY1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANoelpLBCHNTmx0/tUPMHr9k6VCHXk97GRbmcOFJrhWm2Y5pRzKniiIr
gQwOvI/Ntcjlqyzdj5rvL8PD5+Wwe1akV4h2bCdFjg0G6THtNFNywkwJX93H0hWD
iLaiUXfwdliXvSZu4DavDGdYkrSHBNE4FNY0nU0kgb7C6Ps+jhXrvJMUiS0a1s1t
fU//7uwc4v5aM6/XY7JWHRTnqo4kYvMqGPbSogsDcrzNRTtzAY7L7Jj4rJJnX1zD
uyw05FabtBQRY4fIMPAl+KTiFiQaiLINk4m8gjSmuIrr/QEzVFpFHxYovcl+7Wnx
4Fxl9B37XpBtkXzU5QHcRz3fGmVK91MCAwEAAaOCA2MwggNfMIGBBgNVHREEejB4
ggZmNS5jb22CCnd3dy5mNS5jb22CEWRldmNlbnRyYWwuZjUuY29tgg9saW5lcmF0
ZS5mNS5jb22CEHN5bnRoZXNpcy5mNS5jb22CDnBhcnRuZXIuZjUuY29tgg9wYXJ0
bmVycy5mNS5jb22CC2RvY3MuZjUuY29tMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFq
AWgAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAU7QfZObAAAE
AwBHMEUCIQDUOjKBA7cIHCMfX7RZg2rhKYc3QfmlkRdBvQPimByb7QIgLZgNUi60
1CT3r/sFzn1U9ZCbiHRnn4ULjLB3RjBkKTkAdgBWFAaaL9fC7NP14b1Esj7HRna5
vJkRXMDvlJhV1onQ3QAAAU7QfZdJAAAEAwBHMEUCIBL043XtG7YgNNtmxKuqDfuS
xTa7+kDE4IoS1DIW51hvAiEAkrH+eSesmozeik6LSHnT8gZ2rfqPxnYO/m1ah++w
kloAdgB0YbSgnPs9QddRWVdbLnZJpEWo0ncJsMxWSmSCt+tBowAAAU7QfZnJAAAE
AwBHMEUCICUKH09E8D3uTAPUDaSHuRKkqPJL4YQuhOLORUJ/gRMpAiEAi3BE/PEn
b9McJHNsvqlgR+HKECM0TvASBSo8RGYwqnMwCwYDVR0PBAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBoBggrBgEFBQcBAQRcMFowIwYIKwYBBQUH
MAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsGAQUFBzAChidodHRwOi8v
YWlhLmVudHJ1c3QubmV0L2wxbS1jaGFpbjI1Ni5jZXIwMwYDVR0fBCwwKjAooCag
JIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFtLmNybDBBBgNVHSAEOjA4
MDYGCmCGSAGG+mwKAQIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0
Lm5ldC9ycGEwHwYDVR0jBBgwFoAUw/fQtSowra8NkSFwOVTdvIlwxzowHQYDVR0O
BBYEFNGOaMCt0oswqTyiCr0xrG/5/q5gMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEL
BQADggEBAA2Fq+f6rP4H2DQhXiWxohbMNikb5BjcP6pDs5guSLTMp3G1DO/WoSEw
WFeHQEYH77TPEJ9komc8Y+9T9ypLHb0/aLIh6VfZSLV9+Wqnsc/pw46izkw1rIcc
Jjl57OshV3zvyEb8+Uf6Mz2kmq4yKpNfiBRspKfh4smsaY53pYx3TcSbrv9Kepzc
rUFFK67Xk63VXdFPYGCoXgZK/nvYG7XYXrgWc+y5s6yTEiEos38OAVIG80iQEFB3
ZZ/bn78prX1z+r2JjjvajAk9zkv3CrnIGZPXGbD5GOTAczC712gnq1aVs0e0n+Sk
gTTZMbcQsUzLutNb0e3+R0N9aaad5cQ=
-----END CERTIFICATE-----
1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M
   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIMYaHn0gAAAABR02amMA0GCSqGSIb3DQEBCwUAMIG+MQsw
CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl
IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg
RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD
EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x
NDEyMTUxNTI1MDNaFw0zMDEwMTUxNTU1MDNaMIG6MQswCQYDVQQGEwJVUzEWMBQG
A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l
dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTQgRW50cnVzdCwgSW5jLiAt
IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0IHBOSPCsdHs91fdVSQ2kSAiSPf8ylIKsKs/M7WwhAf23056sPuY
Ij0BrFb7cW2y7rmgD1J3q5iTvjOK64dex6qwymmPQwhqPyK/MzlG1ZTy4kwFItln
gJHxBEoOm3yiydJs/TwJhL39axSagR3nioPvYRZ1R5gTOw2QFpi/iuInMlOZmcP7
lhw192LtjL1JcdJDQ6Gh4yEqI3CodT2ybEYGYW8YZ+QpfrI8wcVfCR5uRE7sIZlY
FUj0VUgqtzS0BeN8SYwAWN46lsw53GEzVc4qLj/RmWLoquY0djGqr3kplnjLgRSv
adr7BLlZg0SqCU+01CwBnZuUMWstoc/B5QIDAQABo4IBKzCCAScwDgYDVR0PAQH/
BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8E
CDAGAQH/AgEAMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29j
c3AuZW50cnVzdC5uZXQwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL2NybC5lbnRy
dXN0Lm5ldC9nMmNhLmNybDA7BgNVHSAENDAyMDAGBFUdIAAwKDAmBggrBgEFBQcC
ARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwHQYDVR0OBBYEFMP30LUqMK2v
DZEhcDlU3byJcMc6MB8GA1UdIwQYMBaAFGpyJnrQHu995ztpUdRsjZ+QEmarMA0G
CSqGSIb3DQEBCwUAA4IBAQC0h8eEIhopwKR47PVPG7SEl2937tTPWa+oQ5YvHVje
pvMVWy7ZQ5xMQrkXFxGttLFBx2YMIoYFp7Qi+8VoaIqIMthx1hGOjlJ+Qgld2dnA
DizvRGsf2yS89byxqsGK5Wbb0CTz34mmi/5e0FC6m3UAyQhKS3Q/WFOv9rihbISY
Jnz8/DVRZZgeO2x28JkPxLkJ1YXYJKd/KsLak0tkuHB8VCnTglTVz6WUwzOeTTRn
4Dh2ZgCN0C/GqwmqcvrOLzWJ/MDtBgO334wlV/H77yiI2YIowAQPlIFpI+CRKMVe
1QzX1CA778n4wI+nQc1XRG5sZ2L+hN/nYNjvv9QiHg3n
-----END CERTIFICATE-----
2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgIEUdNARDANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDkyMjE3MTQ1N1oXDTI0MDkyMzAx
MzE1M1owgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgw
JgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQL
EzAoYykgMjAwOSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9u
bHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvi
mekwAad26jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ
0GqAgABFHrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG4
0kfO5MlJxDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs
0JslguPMwsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxi
d+q36OW7NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4
to2UYySkcQIDAQABo4IBDzCCAQswDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI
MAYBAf8CAQEwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz
cC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1
c3QubmV0L3Jvb3RjYTEuY3JsMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUF
BwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NQUzAdBgNVHQ4EFgQUanImetAe
733nO2lR1GyNn5ASZqswHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdLQ/uEvW0w
DQYJKoZIhvcNAQELBQADggEBAGkzg/woem99751V68U+ep11s8zDODbZNKIoaBjq
HmnTvefQd9q4AINOSs9v0fHBIj905PeYSZ6btp7h25h3LVY0sag82f3Azce/BQPU
AsXx5cbaCKUTx2IjEdFhMB1ghEXveajGJpOkt800uGnFE/aRs8lFc3a2kvZ2Clvh
A0e36SlMkTIjN0qcNdh4/R0f5IOJJICtt/nP5F2l1HHEhVtwH9s/HAHrGkUmMRTM
Zb9n3srMM2XlQZHXN75BGpad5oqXnafOrE6aPb0BoGrZTyIAi0TVaWJ7LuvMuueS
fWlnPfy4fN5Bh9Bp6roKGHoalUOzeXEodm2h+1dK7E3IDhA=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Washington/L=Seattle/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/O=F5 Networks Inc/businessCategory=Private Organization/serialNumber=601692492/CN=f5.com
issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M
---
No client certificate CA names sent
---
SSL handshake has read 5024 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: A8760111EB8C0DF23198F6AEC9F4E0A42D96DC6B05D07E45780B522884C51209
    Session-ID-ctx:
    Master-Key: BBEA7D60B20CE20FE995F36D40B4DB5686F749BB494B1633858CC6604EB4D17DEB87A8DEFA97E5AAA28411D1311C5414
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1439974518
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

注意看证书是是未经过F5签发的而是原始的entrust签发的证书

1
2
3
Server certificate
subject=/C=US/ST=Washington/L=Seattle/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/O=F5 Networks Inc/businessCategory=Private Organization/serialNumber=601692492/CN=f5.com
issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M

其他问题:

  1. 这个功能需要license,非免费

  2. 该功能不支持server要求双向验证的情形,对于这种情况默认是无法进行处理的,因为在通信过程中的第3步会失败,进而导致F5 reset client侧连接。

Bugs:

sol16360: The SSL Forward Proxy feature does not fully support the SSL Forward Proxy Bypass option

sol15830: Changes made to a data group are not automatically propagated to a Client SSL profile

 

另外,上述假定访问vs的都是标准的HTTPS请求,实际应用很可能是一个全0的通配类VS,那么此时需要考虑一些irule,利用irule判断如果是一个SSL握手,则启用ssl profle功能,否则关闭SSL profile,类似这样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
when CLIENT_ACCEPTED {
   # Assume it is not ssl
   HTTP::disable
   SSL::disable clientside
   SSL::disable serverside
   TCP::collect
}
when CLIENT_DATA {
   # Enable SSL,if it is client hello packet.
   binary scan [TCP::payload] c type
   if { $type == 22 } {
      SSL::enable clientside
      SSL::enable serverside
      HTTP::enable
   }
   TCP::release
}

 

附加信息,在一个全0的通配端口的vs上,当一个tls1.0以上版本的ssl 请求的话,识别其SNI是否在2way——ssl的bypass group中,如果匹配则vs当成普通转发vs,如果不匹配则启用两侧ssl profile进行SSL forward处理。并针对一些匹配条件启动SSL forward bypass策略。 对于SSLV3,由于不适用于ssl forward功能,直接当成普通vs转发。注意下述irule对没有提供SNI且服务器要求2way-ssl的情形是无法处理的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
when CLIENT_ACCEPTED {
   # On TCP session initiation, we dont know if this is going to be SSL
   # disable SSL and HTTP profiles and then collect the payload
   set detect_handshake 1
   HTTP::disable
   SSL::disable clientside
   SSL::disable serverside
   TCP::collect
}
 
 
when CLIENT_DATA {
                # If we're in a handshake detection, look for an SSL/TLS header.
                binary scan [TCP::payload] cSS tls_xacttype tls_version tls_recordlen
                log local0. "ssl version $tls_version"
                # TLS is the only thing we want to process because it's the only
                # version that allows the servername extension to be present. When we
                # find a supported TLS version, we'll check to make sure we're getting
                # only a Client Hello transaction -- those are the only ones we can pull
                # the servername from prior to connection establishment.
                switch $tls_version {
        "768" { set detect_handshake 0 }
                        "769" -
                        "770" -
                        "771" {
                                if { ($tls_xacttype == 22) } {
                                        binary scan [TCP::payload] @5c tls_action
                                        if { not (($tls_action == 1) && ([TCP::payload length] > $tls_recordlen)) } {
                                                set detect_handshake 0
                                        }
                                }
                        }
                        default {
                                log local0. "it is not ssl handshake packet!"
                                set detect_handshake 0
                        }
                }
                if { ($detect_handshake) } {
        log local0. "Found ssl handshake"
                # If we made it this far, we're still processing a TLS client hello.
                #
                # Skip the TLS header (43 bytes in) and process the record body. For TLS/1.0 we
                # expect this to contain only the session ID, cipher list, and compression
                # list. All but the cipher list will be null since we're handling a new transaction
                # (client hello) here. We have to determine how far out to parse the initial record
                # so we can find the TLS extensions if they exist.
                        set record_offset 43
                        binary scan [TCP::payload] @${record_offset}c tls_sessidlen
                        set record_offset [expr {$record_offset + 1 + $tls_sessidlen}]
                        binary scan [TCP::payload] @${record_offset}S tls_ciphlen
                        set record_offset [expr {$record_offset + 2 + $tls_ciphlen}]
                        binary scan [TCP::payload] @${record_offset}c tls_complen
                        set record_offset [expr {$record_offset + 1 + $tls_complen}]
                # If we're in TLS and we've not parsed all the payload in the record
                # at this point, then we have TLS extensions to process. We will detect
                # the TLS extension package and parse each record individually.
                        if { ([TCP::payload length] > $record_offset) } {
                                binary scan [TCP::payload] @${record_offset}S tls_extenlen
                                set record_offset [expr {$record_offset + 2}]
                                binary scan [TCP::payload] @${record_offset}a* tls_extensions
                # Loop through the TLS extension data looking for a type 00 extension
                # record. This is the IANA code for server_name in the TLS transaction.
                                for { set x 0 } { $x < $tls_extenlen } { incr x 4 } {
                                        set start [expr {$x}]
                                        binary scan $tls_extensions @${start}SS etype elen
                                        if { ($etype == "00") } {
                # A servername record is present. Pull this value out of the packet data
                # and save it for later use. We start 9 bytes into the record to bypass
                # type, length, and SNI encoding header (which is itself 5 bytes long), and
                # capture the servername text (minus the header).
                                                set grabstart [expr {$start + 9}]
                                                set grabend [expr {$elen - 5}]
                                                binary scan $tls_extensions @${grabstart}A${grabend} tls_servername
                                                log local0. "SNI name is $tls_servername"
                                                set start [expr {$start + $elen}]
                                        } else {
                # Bypass all other TLS extensions.
                                                set start [expr {$start + $elen}]
                                        }
                                        set x $start
                                }
                # Check to see whether we got a servername indication from TLS. If so,
                # make the appropriate changes.
                       if { ([info exists tls_servername] ) } {
                       # For sites in the bypass_group, we will disable all sides ssl, for not in the group, will enable ssl.
                           if { not [class match $tls_servername contains bypass_2way_host] } {
                                 SSL::enable clientside
                                 SSL::enable serverside
                                 HTTP::enable                                                
                                        }
                        } else {
                       # SNI does not exisit
                                 log local0. "It is ssl handshake,but SNI not exist,enable ssl for both side"      
                                 SSL::enable clientside
                                 SSL::enable serverside
                                 HTTP::enable
                        }
                          set detect_handshake 0
                }
        }
               TCP::release
}
 
 
 
when CLIENTSSL_CLIENTHELLO {
    # Extract SNI header from client
    if { [SSL::extensions exists -type 0] } {
        binary scan [SSL::extensions -type 0] @9a* ssl_ext_sn
        #set category 0
        #catch { set category [getfield [CATEGORY::lookup http://$ssl_ext_sn/] " " 1] }        
        #log local0.alert "SSL SNI $ssl_ext_sn category=$category ([IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port])"
    }
}
when CLIENTSSL_SERVERHELLO_SEND {
    # Bypass ssl forward proxy based destination port
    if { [ class match [TCP::local_port] equals bypass_port ] } {
       #log local0.alert "*** Bypass SSL for dst port [IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port]"
       SSL::forward_proxy policy bypass
       HTTP::disable
    }
    # Bypass ssl forward proxy based destination IP
    if { [ class match [IP::local_addr] equals bypass_address ] } {
       #log local0.alert "*** Bypass SSL for IP [IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port]"
       SSL::forward_proxy policy bypass
       HTTP::disable
    }
#     Bypass ssl forward proxy based on SNI hostname
    if { [info exists ssl_ext_sn] && [ class match $ssl_ext_sn contains bypass_host ] } {        
       log local0.alert "*** Bypass SSL for HOST $ssl_ext_sn ([IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port])"
       SSL::forward_proxy policy bypass
       HTTP::disable
    }
    # Bypass ssl forward proxy based on category
    #if { [info exists ssl_ext_sn] && [ class match $category equals bypass_category ] } {        
       #log local0.alert "*** Bypass SSL for $category $ssl_ext_sn ([IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port])"
       #SSL::forward_proxy policy bypass
       #HTTP::disable
    #}
}
when HTTP_REQUEST {    
    # Insert header in request to for re-encryption when request is returned from inspection proxy to BIG-IP
    #log local0.alert "[virtual] insert X-Proxy-HTTPS http://[HTTP::host]/[string range [HTTP::uri] 1 25]..."
#    HTTP::header insert X-Proxy-HTTPS [TCP::local_port]
    #LB::detach
    #SSL::disable serverside
    #virtual vs-any-proxy2
    log local0. "http request event"
}

 

相关文章

  • openstack heat模板之配置基本LB到F5 BIGIP
  • F5常见log日志解释
  • F5 TMOS系统操作手册
  • BIGIP DNS (GTM)V12变化速览
  • TMOS/LTM V12.0 行为变化列表 (Release notes)
本作品采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可
标签: F5 ssl forward proxy 解密SSL
最后更新:2015年08月20日

纳米

linjing.io

打赏 点赞
< 上一篇
下一篇 >

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering
取消回复

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理。

页面AI聊天助手

纳米

linjing.io

☁️迈向Cloud Native ADC ☁️

认证获得:
TOGAF: ID 152743
Kubernetes: CKA #664
Microsoft: MCSE MCDBA
Cisco: CCNP
Juniper: JNCIS
F5:
F5 Certified Solution Expert, Security
F5 Certified Technology Specialist, LTM/GTM/APM/ASM
F5 Certified BIG-IP Administrator
  • 点击查看本博技术要素列表
  • 归档
    分类
    • AI
    • Automation
    • Avi Networks
    • Cisco ACI
    • CISCO资源
    • F5 with ELK
    • F5-Tech tips
    • F5技术
    • Juniper
    • Linux
    • NGINX
    • SDN
    • ServiceMesh
    • WEB编程
    • WINDOWS相关
    • 业界文章
    • 交换机技术
    • 化云为雨/Openstack
    • 协议原理
    • 容器/k8s
    • 我的工作
    • 我的生活
    • 网站技术
    • 路由器技术
    • 项目案例
    标签聚合
    neutron envoy docker openstack flannel gtm network k8s irule DNS istio api F5 bigip nginx
    最近评论
    汤姆 发布于 8 个月前(09月10日) 嗨,楼主,里面的json怎么下载啊,怎么收费啊?
    汤姆 发布于 8 个月前(09月09日) 大佬,kib的页面可以分享下吗?谢谢
    zhangsha 发布于 1 年前(05月12日) 资料发给我下,谢谢纳米同志!!!!lyx895@qq.com
    李成才 发布于 1 年前(01月02日) 麻烦了,谢谢大佬
    纳米 发布于 1 年前(01月02日) 你好。是的,因为以前下载系统插件在一次升级后将所有的下载生成信息全弄丢了。所以不少文件无法下载。DN...
    浏览次数
    • Downloads - 183,676 views
    • 联系我 - 118,966 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 116,205 views
    • Github - 103,555 views
    • F5常见log日志解释 - 79,729 views
    • 从传统ADC迈向CLOUD NATIVE ADC - 下载 - 74,509 views
    • Sniffer Pro 4 70 530抓包软件 中文版+视频教程 - 74,320 views
    • 迄今为止最全最深入的BIGIP-DNS/GTM原理及培训资料 - 67,770 views
    • 关于本站 - 60,804 views
    • 这篇文档您是否感兴趣 - 55,463 views
    链接表
    • F5SE创新
    • Jimmy Song‘s Blog
    • SDNlab
    • Service Mesh社区
    • 三斗室
    • 个人profile
    • 云原生社区

    COPYRIGHT © 2023 Cloud Native 应用交付. ALL RIGHTS RESERVED.

    Theme Kratos Made By Seaton Jiang

    京ICP备14048088号-1

    京公网安备 11010502041506号