Forum Discussion

awan_m's avatar
awan_m
Icon for Cirrostratus rankCirrostratus
Oct 30, 2024

Datagroup with address and value

Hi - want to do a check on F5 
when ssl handshake - extract OU from certificate and validate it against client IP .
so i created a data group with address and value 

Question how would i match the pair of ip and ou as address and value

Thanks 

 


ltm data-group internal ip_allow {
    records {
        10.10.10.0/24 {
            data Prod
        }
        20.20.20.0/24 {
            data Staff
        }
    }
    type ip
}

    • awan_m's avatar
      awan_m
      Icon for Cirrostratus rankCirrostratus

      thanks for the reply - 

      i want to match both ip and OU 

      meaning - ip client IP and extracted ou match the address and value in the datagroup 

      records {
              10.10.10.0/24 {
                  data Prod
              }

      • zamroni777's avatar
        zamroni777
        Icon for Nacreous rankNacreous

        you need to do in 2 steps:
        1. determine which address range that the client ip address belongs to (using the above IP:addr .....; loop the address ranges until matching one)
        2. check whether the ou matches the address range (using the data group)

    • awan_m's avatar
      awan_m
      Icon for Cirrostratus rankCirrostratus

      its a key pair match 

      ip and OU need to match as they are locked to each other 

      10.10.10.0/24 IPs must have Prod - else drop 

      20.20.20.0/24 Must have Staff - else drop 

       

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        awan_m I believe the following will work for you but I'm not 100% positive because I can't lab it. This is assuming you intend to send it to a specific pool but if not you can change the action in the if statement matching TEMP_OU to whatever action you would like.

        when CLIENTSSL_CLIENTCERT priority 500 {
        
            set cert_subject [X509::subject [SSL::cert 0]]
        
            # release any stored data just in case
            HTTP::release
            # if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
            if { [SSL::cert count] < 1 } {
                reject
            }
        
        }
         
        when HTTP_REQUEST priority 500 {
         
            if { [class --match [getfield [IP::client_addr] "%" 1] equals ip_allow] } {
        
                set TEMP_OU [class --match -value [getfield [IP::client_addr] "%" 1] equals ip_allow]
                
                if { ${cert_subject} == ${TEMP_OU} } {
                    pool <pool_name>
                }
        
            } else {
                reject
            }
        
        }

         

  •  

    To match the pair of IP and OU, use an iRule during the SSL handshake. Extract the client's IP and the "OU" from the certificate. Then, match the IP in your data group and check if the stored value (OU) matches:

    1. Extract the client IP and OU.
    2. Check if the IP exists in your data group.
    3. Compare the stored value (OU) with the extracted OU.