Forum Discussion

Ganesh_Sanap_23's avatar
Ganesh_Sanap_23
Icon for Nimbostratus rankNimbostratus
Mar 01, 2017

Irule Redirection for different host

Hi,

 

I need to write down an irule which states if traffic come for CN:abc.com it should redirect "def.com" and for CN tuv.com traffice goes to xyz.com.

 

Current Irule on LB:

 

This iRule:

 

- Checks the CN provided by the client SSL cert

when CLIENTSSL_CLIENTCERT {

 

Check if client provided a cert if {[SSL::cert 0] eq ""}{ Reset the connection reject } else { Check if the client certificate contains the correct CN log "Client Certificate: [X509::subject [SSL::cert 0]]" if { ([class match [X509::subject [SSL::cert 0]] contains F5_cn_list]) } { } else { log "No Matching Client Certificate Was Found Using: [X509::subject [SSL::cert 0]]" reject } } }

 

F5_cn_list :Contains CN abc.com and tuv.com

 

This CN will check in below Irule

 

irule to alter the host header for outbound traffic so that def.com is presented to the remote server

when HTTP_REQUEST { HTTP::header replace Host def.com log local0. "rewrite executed [HTTP::header "Host"]" }

 

application delivery
iRules

2 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Mar 01, 2017

    Please edit your question and use the Preformatted Code option. This is unreadable.

     

    /Patrik

     

  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus
    Mar 02, 2017

    This doesn't make sense to me. Why do you check the CN from a client certificate to decide on the pool of the connection? Did I get correctly? I'm not sure...

    May this be, what you're looking for?

    when CLIENTSSL_CLIENTCERT {

     Check if client provided a cert
    if {[SSL::cert 0] eq ""}{ 
         Reset the connection
        reject
    } else { 
        Check if the client certificate contains the correct CN 
        log local0. "Client Certificate: [X509::subject [SSL::cert 0]]"

        if { ([class match [X509::subject [SSL::cert 0]] contains F5_cn_list]) } { 
            log local0. "Forward to def.com pool"
            pool pool_def.com
        } elseif { ([class match [X509::subject [SSL::cert 0]] contains F5_cn_list2]) } { 
            log local0. "Forward to xyz.com pool"
            pool pool_xyz.com
        } else { 
            log local0. "No Matching Client Certificate Was Found Using: [X509::subject [SSL::cert 0]]"
            reject 
        } 
    }
}

    I absolutely agree with Patrik. Please use the correct format options, otherwise no one will be willing to read your "question".

    Greets, svs