Forum Discussion
MaxMedov
Cirrostratus
CirrostratusiRule to accept client then SSL cert validation
Hi everyone 🙂
Please advise the best way to combine an iRule with doing this:
1. Accept only client coming from 1 specific IP
then:
2. For the rest (who are not this specific IP), I want to check SSL CN, for example ABC.COM
3. If it does not contain ABC.COM, reject the connection
The meaning is the source of the 1 client come without the CN and I want to pass over him and check only for the rest
Thanks you!
MaxMedov,
I think you can use tcp::collect.refer tcp collect start irule
when CLIENT_ACCEPTED { # DEBUG On/Off : 1/0 set DEBUG 0 # disable client/serverside ssl profile by default SSL::disable clientside #SSL::disable serverside if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" } # run TCP collect to check SNI for bypass before intercept SSL traffic # log local0. "run client collect command" TCP::collect set monitor_id [ after 500 { TCP::release } ] }and you can check the sni, cn, etc... in "when CLIENT_DATA "
Hooni_LCirrus
MaxMedov,
I think you can use tcp::collect.refer tcp collect start irule
when CLIENT_ACCEPTED { # DEBUG On/Off : 1/0 set DEBUG 0 # disable client/serverside ssl profile by default SSL::disable clientside #SSL::disable serverside if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" } # run TCP collect to check SNI for bypass before intercept SSL traffic # log local0. "run client collect command" TCP::collect set monitor_id [ after 500 { TCP::release } ] }and you can check the sni, cn, etc... in "when CLIENT_DATA "
- G-Rob
Employee
Max,
Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.
- G-Rob
Yes, you can do all of those things. I have not used the SSL Certificate matching, so I would test in your lab before deploying.
