For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ryan_Rowe_79249's avatar
Ryan_Rowe_79249
Icon for Nimbostratus rankNimbostratus
Dec 23, 2009

Ip Restrict then client cert check

BigIP 8.3.3 and 8.4.1 (hopefully there is no difference) So here is what I want to do. If an IP is in a datagroup then passthrough but if not then authenticate with an SSL cert. I t...
application delivery
dev
devops
iRules
Ryan_Rowe_79249's avatar
Ryan_Rowe_79249
Icon for Nimbostratus rankNimbostratus
Dec 23, 2009
Here I found this:

http://devcentral.f5.com/Wiki/default.aspx/iRules/ClientCertificateCNChecking.html

In part 3 I have made this but I don't know if it will work so my irule would look like this: 

when RULE_INIT { 
         set ::debug 1 
 } 
  
 when CLIENTSSL_CLIENTCERT { 
         Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith 
         set subject_dn [X509::subject [SSL::cert 0]] 
         if { $subject_dn != "" }{ 
                 if { $debug }{ log "Client Certificate received: $subject_dn"} 
         } 
 } 
  when HTTP_REQUEST {     
   if {[matchclass [IP::client_addr] equals $::IPdatagroup]{ 
     } elseif {($subject_dn contains "CN=Company A") } { 
     }  
     } elseif {    HTTP::respond 403 content "403 - Forbidden"        }  } 
  
 }

Would this work?