Forum Discussion

Malwark_334365's avatar
Malwark_334365
Icon for Nimbostratus rankNimbostratus
Sep 22, 2017

iRule assistance - Block SSL/TLS unless client already has an existing session

Hi all, very new to F5. I kind of inherited it...   What I'm trying to accomplish When an SSL/TLS request is initiated (maybe use CLIENTSSLL_CLIENTHELLO) see if the client has an existing sessi...
application delivery
BIG-IP
iRules
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Sep 27, 2017

Hi,

I guess HTTPS logon page and TLS services are on different VS. If not, it will be more difficult because you will have to capture TCP packet first, decode it to parse binary content.

You can create a table record with the IP address in irule assigned to APM virtual server:

when ACCESS_POLICY_COMPLETED {
    if {[ACCESS::policy result] equals "allow"} 
        table set -subtable L4SESSION [IP::client_addr] [ ACCESS::session sid ] [PROFILE::access inactivity_timeout] [PROFILE::access max_session_timeout]
    }
}

when ACCESS_SESSION_CLOSED {
    table delete -subtable L4SESSION [IP::client_addr]
}

Then accept connection on other VS if IP address is known

when CLIENT_ACCEPTED {
    if {[table lookup -subtable L4SESSION [IP::client_addr]] equals ""} {
        drop
    }
}