For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Drew_Garner_111's avatar
Drew_Garner_111
Icon for Nimbostratus rankNimbostratus
Feb 15, 2006

Enforcing SSL Ciphers from target external IP's?

Is it possible with iRules for me to enforce a SSL cipher level for a select group of external IP's that are accessing a shared website?     Thanks for anyone that can spare some advice or if po...
application delivery
dev
devops
iRules
Joe_Pruitt's avatar
Joe_Pruitt
Feb 15, 2006
Sure it's possible. The questions is how many external IPs are you looking at. Is it a list of addresses, or subnets.

Here's how you could do it for a set of fixed addresses

*** Begin Data Group ***
class valid_addresses {
  "10.10.10.10"
  "10.10.10.11"
  "10.10.10.12"
}
*** Begin iRule ***
when HTTP_REQUEST {
  if { [matchclass [IP::client_addr] equals $::valid_addresses] } {
     check for at least 128 bits of encryption
    if { [SSL::cipher bits] < 128 }{
       when browser cannot do at least 128 bits of encryption redirect
       to a un-encrypted page with an informational error
      HTTP::redirect http://10.10.10.10/error/sslerr.html
    }
  }
}

This should at least get you started...

-Joe