Forum Discussion
mikegray_198028
Cirrus
Cirrusirule help
Hello Team,
I am looking for irule for the below scenario.
https://www.example.com/user1 > for this user will submit client certificate with cn=user1 LB should accept this connection and rej...
JG
Cumulonimbus
CumulonimbusWould this one work for you:
when CLIENT_ACCEPTED {
array set CNs {}
}
when CLIENTSSL_CLIENTCERT {
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\
[X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
set CNs([X509::subject [SSL::cert $i]]) 1
}
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/abcdef" {
if { ! ([info exists CNs("cn=frontofficeuser")]) } {
log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::uri] : rejected."
reject
}
}
"/bcdefg" {
if { ! ([info exists CNs("cn=hruser")]) } {
log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::uri] : rejected."
reject
}
}
"/cdefgh" {
if { ! ([info exists CNs("cn=facilitiesuser")]) } {
log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::uri] : rejected."
reject
}
}
default {
reject
log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::uri] : rejected."
}
}
}
?