Forum Discussion

Internet_Suppo1's avatar
Internet_Suppo1
Icon for Nimbostratus rankNimbostratus
Sep 01, 2017

How to use two ssl profiles depending on connecting address

Morning All,

I'm trying to edit the iapp template.

What I would like to do is implement certificate pinning for all clients except from certain network ranges.

Eg for connections from

134.170.98.0/24
157.56.199.0/24
134.170.70.0/24
......

Do not require specific certificate on the client device's.

For all other connections require a specific certificate. I know I can add certificate requirement to the ssl profile. I'm guessing I need to create two ssl profiles one with cert pinning and the other without, but a bit lost on how to implement in the irule. Any suggestions?

Existing Irule without changes

 Exchange 2013 iRule to select pool without persistence when all Exchange
 HTTP-based services are accessed through the same virtual server.
when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
        "/microsoft-server-activesync*" {

            pool /Common/EXO.app/EXO_as_pool7
            COMPRESS::disable
            CACHE::disable
            return
        }
        "/owa*" {


            return
        }
        "/ecp*" {
             Exchange Control Panel.


            return
        }
        "/ews*" {
             Exchange Web Services.
            pool /Common/EXO.app/EXO_ews_pool7
            COMPRESS::disable
            CACHE::disable
            return
        }
        "/oab*" {
             Offline Address Book.
            pool /Common/EXO.app/EXO_ews_pool7
            persist none
            return
        }
        "/rpc/rpcproxy.dll*" {
             Outlook Anywhere.

            COMPRESS::disable
            CACHE::disable
            return
        }
        "/autodiscover*" {
             Requests for Autodiscovery information.
            pool /Common/EXO.app/EXO_ad_pool7
            persist none
            return
        }
        default {

        }
    }
}
when HTTP_RESPONSE {
    if { ( [HTTP::header exists "WWW-Authenticate"] &&
        [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate" ) ||
        ( [HTTP::header exists "Persistent-Auth"] &&
        [string tolower [HTTP::header "Persistent-Auth"]] contains "true" ) } {
        ONECONNECT::reuse disable
        ONECONNECT::detach disable
        NTLM::disable
   }
   if {[HTTP::header exists "Transfer-Encoding"]} {
        HTTP::payload rechunk
   }
} 
"

Many Thanks, Andrew.

application delivery
iRules
LTM
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 01, 2017

    Hi,

    you can create 3 VS:

    • one routing VS without any SSL and HTTP profile but the next irule
    • one VS (same destination address or another one, doesn't matter, never used) with VLAN enabled none. enable first SSL profile
    • one VS (same destination address or another one, doesn't matter, never used) with VLAN enabled none. enable second SSL profile

    VS1 irule:

    when CLIENT_ACCEPTED {
    if {[IP::addr [IP::remote_addr]/24 equals 134.170.98.0]} {
        virtual vs2
    } elseif {[IP::addr [IP::remote_addr]/24 equals 157.56.199.0]} {
        virtual vs2
    } else {virtual vs3}
}

    if the source IP is too long, you can use a data group list.