Forum Discussion

chin_15339's avatar
chin_15339
Icon for Nimbostratus rankNimbostratus
Apr 30, 2017

help required in elseif statement not working as expected

when RULE_INIT {

    set static::debug 1

}

when CLIENTSSL_CLIENTCERT {

Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith

    set subject_dn [X509::subject [SSL::cert 0]] 

    if { $subject_dn != "" }{

            if { $static::debug }{ log "Client Certificate received: $subject_dn"}

    }

}
when HTTP_REQUEST {

    if { [HTTP::host] contains "192" } {

            if { $subject_dn contains "CN=Vinit-A" } {HTTP::redirect "/vinit-A.html"}

             if { $subject_dn contains "CN=Vinit-B" } {HTTP::redirect "/vinit-B.html"} 

              if { $subject_dn contains "CN=Vinit-D" } {HTTP::redirect "/vinit-C.html"} 

    } elseif { [HTTP::host] contains "168" }{

             if { $subject_dn eq "" } {HTTP::redirect "/Certmissing.html"} 

    }

}

application delivery
iRules
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 30, 2017

    Hi,

    if you redirect to 

    /vinit-A.html
    , redirect only 
    /
    URI, else, the request to 
    /vinit-A.html
    will be handle by the irule and will redirect to 
    /vinit-A.html

    and use 

    switch
    instead of 
    if / elseif / elseif/ elseif

    when RULE_INIT {
    set static::debug 1
}

when CLIENTSSL_CLIENTCERT {

Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
    set subject_dn [X509::subject [SSL::cert 0]] 
    if { $subject_dn != "" }{
            if { $static::debug }{ log "Client Certificate received: $subject_dn"}
    }
}
when HTTP_REQUEST {

    if { [HTTP::host] contains "192" && [HTTP::host] && [HTTP::host] equals "/" } {
        switch -glob -- $subject_dn {
        "*CN=Vinit-A*" {HTTP::redirect "/vinit-A.html"}
        "*CN=Vinit-B*" {HTTP::redirect "/vinit-B.html"}
        "*CN=Vinit-B*" {HTTP::redirect "/vinit-C.html"}
        }
    } elseif { [HTTP::host] contains "168" && [HTTP::host] equals "/" }{
             if { $subject_dn eq "" } {HTTP::redirect "/Certmissing.html"} 
    }               
}
  • chin_15339's avatar
    chin_15339
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2017

    thanks Stanislas but the rule is still not working when there is no client certificate presented I want the page to redirect to /Certmissing

     

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Apr 30, 2017

      Hi,

      Can you explain what are 192 and 168 hostnames? (it make me think about 192.168.x.x).

      when RULE_INIT {
    set static::debug 1
}

when CLIENTSSL_CLIENTCERT {

Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
    set subject_dn [X509::subject [SSL::cert 0]] 
    if { $subject_dn != "" }{
            if { $static::debug }{ log "Client Certificate received: $subject_dn"}
    }
}
when HTTP_REQUEST {

    if { [HTTP::host] contains "192" && [HTTP::host] && [HTTP::uri] equals "/" } {
        switch -glob -- $subject_dn {
        "" {HTTP::redirect "/Certmissing.html"}
        "*CN=Vinit-A*" {HTTP::redirect "/vinit-A.html"}
        "*CN=Vinit-B*" {HTTP::redirect "/vinit-B.html"}
        "*CN=Vinit-B*" {HTTP::redirect "/vinit-C.html"}
        }
    } elseif { [HTTP::host] contains "168" && [HTTP::uri] equals "/" }{
             if { $subject_dn eq "" } {HTTP::redirect "/Certmissing.html"} 
    }               
}
    • chin_15339's avatar
      chin_15339
      Icon for Nimbostratus rankNimbostratus
      Apr 30, 2017

      yes that is correct Stanislas we are trying this in our staging environment

       

    • chin_15339's avatar
      chin_15339
      Icon for Nimbostratus rankNimbostratus
      Apr 30, 2017

      Hi Stanislas I tried your updated irule but sorry no luck it doesnt work as expected

       

      the redirects /vinit-A.html and /vinit-C.html and B works as expected but the missing Cert does not work