Forum Discussion

MikeG_331443's avatar
MikeG_331443
Icon for Altostratus rankAltostratus
Nov 21, 2018

Expression help

Hi all,

 

I need a little help with an expression aimed to reduce rule clutter and I haven't been able to get it working properly. Basically what I'm checking for is if URI is accessed check for specific CN of client certificate, then allow.

 

expr { [mcget {session.server.landinguri}] eq "/URI_01" && [mcget {session.ssl.cert.subject}] contains "mycert.certificate.com" }

 

Unfortunately I have a lot of URIs, but they mostly check for the same certificate. So I tried using a starts_with /URI but it doesn't seem to work and all attempts to that URI end up with a deny.

 

expr { [mcget {session.server.landinguri}] starts_with "/URI" && [mcget {session.ssl.cert.subject}] contains "mycert.certificate.com" }

 

What that should do is allow access to /URI_01, /URI_02, /URI_03, and so on, with just one rule. But it doesn't and only when I specifically name the URI in its own rule does it work.

 

The ACLs for the URI paths are good with a wildcard, so I have an L7 ACL that allows /URI* and that works but the actual access policy doesn't work with one rule.

 

Does anyone see what I'm missing? Thanks in advance!

 

No RepliesBe the first to reply