Forum Discussion

Nimbostratus

Feb 15, 2006

Enforcing SSL Ciphers from target external IP's?

Is it possible with iRules for me to enforce a SSL cipher level for a select group of external IP's that are accessing a shared website? Thanks for anyone that can spare some advice or if po...

Feb 15, 2006

Sure it's possible. The questions is how many external IPs are you looking at. Is it a list of addresses, or subnets.

Here's how you could do it for a set of fixed addresses

*** Begin Data Group ***
class valid_addresses {
  "10.10.10.10"
  "10.10.10.11"
  "10.10.10.12"
}
*** Begin iRule ***
when HTTP_REQUEST {
  if { [matchclass [IP::client_addr] equals $::valid_addresses] } {
     check for at least 128 bits of encryption
    if { [SSL::cipher bits] < 128 }{
       when browser cannot do at least 128 bits of encryption redirect
       to a un-encrypted page with an informational error
      HTTP::redirect http://10.10.10.10/error/sslerr.html
    }
  }
}

This should at least get you started...

-Joe

Forum Discussion

Enforcing SSL Ciphers from target external IP's?

Recent Discussions

Azure DP-100 Exam Questions

Deploying F5 WAF in front of Azure Web App Services

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

Related Content

Enforce Server Cipher proposal in preferred order

Cipher Suites Supported (12.1.5.3)

LTM Cipher rule

Cipher Suite Practices and Pitfalls

BoT Defense Profile, Signature Enforcement