For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Internet_Suppo1's avatar
Internet_Suppo1
Icon for Nimbostratus rankNimbostratus
Sep 01, 2017

How to use two ssl profiles depending on connecting address

Morning All, I'm trying to edit the iapp template. What I would like to do is implement certificate pinning for all clients except from certain network ranges. Eg for connections from 1...
application delivery
iRules
LTM
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Sep 01, 2017

Hi,

you can create 3 VS:

  • one routing VS without any SSL and HTTP profile but the next irule
  • one VS (same destination address or another one, doesn't matter, never used) with VLAN enabled none. enable first SSL profile
  • one VS (same destination address or another one, doesn't matter, never used) with VLAN enabled none. enable second SSL profile

VS1 irule:

when CLIENT_ACCEPTED {
    if {[IP::addr [IP::remote_addr]/24 equals 134.170.98.0]} {
        virtual vs2
    } elseif {[IP::addr [IP::remote_addr]/24 equals 157.56.199.0]} {
        virtual vs2
    } else {virtual vs3}
}

if the source IP is too long, you can use a data group list.

Related Content