Forum Discussion

vvskaladhar_488's avatar
vvskaladhar_488
Icon for Nimbostratus rankNimbostratus
Jun 19, 2018

irule modification help and new irule for allow specific ips only

Hello All, Can you please let me know if we can have an irule to allow only selected ip ranges to access TLSV1.0 and V1.1 on the F5 VIP ? Also currently i am using below irule to find out the TLS ...
application delivery
iRules
LTM
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jun 19, 2018

You can use a code like that:

 

when CLIENTSSL_CLIENTHELLO { 

    set virtual_server [LB::server] 
    set userip [IP::client_addr] 
    set SSL_version [SSL::cipher name] 
    set SSL_PROTOCOL [SSL::cipher version]
    set TLS_ServerName [ expr {[SSL::extensions exists -type 0] ? [string range [SSL::extensions -type 0] 9 end] : "" }]
    log local0. $TLS_ServerName

    if {$SSL_PROTOCOL == "TLSv1" && ![IP::addr [IP::remote_addr] equals 192.168.1.0/24]} {
        log local0. "Warning: $userip - $SSL_version - $SSL_PROTOCOL - $virtual_server - $TLS_ServerName"
        reject
    } else {
        log local0. "Informational: $userip - $SSL_version - $SSL_PROTOCOL - $virtual_server - $TLS_ServerName"
    }
}

the TLS_ServerName variable contains the value of the Servername extension. this extension may contain the hostname of the request!