@0xJoeMartin
I was reading the F5 DevCentral articles on the JA4 iRules and ran into a phrasing that I'd like to clarify directly with you.
In https://community.f5.com/kb/technicalarticles/fingerprinting-tls-clients-with-ja4-on-f5-big-ip/326298, you write:
"The latest version of the JA4 iRule no longer requires SSL/TLS termination at the F5 BIGIP. It will work whether the SSL/TLS is terminated at the F5 BIGIP or not. ... The latest version of the JA4 iRules uses a separate iRule to inject JA4+ fingerprints as HTTP headers. This allows use of the JA4 iRules without needing to modify them. If you do not want to inject the JA4 as an HTTP header, you will then want to log the JA4 fingerprint. Or, you could inject the JA4 fingerprint into the underlying protocol in some way; otherwise, you are simply generating a JA4 fingerprint and doing nothing with it."
My question: if TLS terminates at my origin servers and the F5 is in passthrough mode, can the injection iRule actually add X-JA4 (or any other header) to the request before it leaves the F5? My understanding is that header injection requires the F5 to parse HTTP, which requires an HTTP profile, which requires TLS to be terminated at the F5, meaning that in passthrough mode, header injection isn't possible regardless of which iRule is used.
What's tripping me up is the phrasing "If you do not want to inject." That reads as a matter of preference rather than a technical constraint, and almost suggests injection into an encrypted passthrough connection might be achievable somehow. I'd like to confirm whether that's the case or whether the wording is just colloquial.
Some context on why this matters: I have application-side session data for unauthenticated sessions that I'm confident are from bots, but they're rotating IPs, emails, names, and payment details on every request. JA4 is the one signal I'm missing that might let me cluster these sessions together by TLS fingerprint. We aren't able to terminate TLS at the F5 for reasons I won't get into here, so my hope was that there's a way to get the JA4 data back to the origin without changing that. If header injection genuinely doesn't work in passthrough, I'll plan accordingly, but I wanted to confirm with you directly given how the article is worded.
Thanks for any clarification you can provide.
@0xJoeMartin
I was reading the F5 DevCentral articles on the JA4 iRules and ran into a phrasing that I'd like to clarify directly with you.
In https://community.f5.com/kb/technicalarticles/fingerprinting-tls-clients-with-ja4-on-f5-big-ip/326298, you write:
"The latest version of the JA4 iRule no longer requires SSL/TLS termination at the F5 BIGIP. It will work whether the SSL/TLS is terminated at the F5 BIGIP or not. ... The latest version of the JA4 iRules uses a separate iRule to inject JA4+ fingerprints as HTTP headers. This allows use of the JA4 iRules without needing to modify them. If you do not want to inject the JA4 as an HTTP header, you will then want to log the JA4 fingerprint. Or, you could inject the JA4 fingerprint into the underlying protocol in some way; otherwise, you are simply generating a JA4 fingerprint and doing nothing with it."
My question: if TLS terminates at my origin servers and the F5 is in passthrough mode, can the injection iRule actually add X-JA4 (or any other header) to the request before it leaves the F5? My understanding is that header injection requires the F5 to parse HTTP, which requires an HTTP profile, which requires TLS to be terminated at the F5, meaning that in passthrough mode, header injection isn't possible regardless of which iRule is used.
What's tripping me up is the phrasing "If you do not want to inject." That reads as a matter of preference rather than a technical constraint, and almost suggests injection into an encrypted passthrough connection might be achievable somehow. I'd like to confirm whether that's the case or whether the wording is just colloquial.
Some context on why this matters: I have application-side session data for unauthenticated sessions that I'm confident are from bots, but they're rotating IPs, emails, names, and payment details on every request. JA4 is the one signal I'm missing that might let me cluster these sessions together by TLS fingerprint. We aren't able to terminate TLS at the F5 for reasons I won't get into here, so my hope was that there's a way to get the JA4 data back to the origin without changing that. If header injection genuinely doesn't work in passthrough, I'll plan accordingly, but I wanted to confirm with you directly given how the article is worded.
Thanks for any clarification you can provide.