Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Jan 09, 2023

iRule to accept client then SSL cert validation

Hi everyone 🙂 Please advise the best way to combine an iRule with doing this: 1. Accept only client coming from 1 specific IP then: 2. For the rest (who are not this specific IP), I want to chec...
devops
  • Hooni_L's avatar
    Hooni_L
    Jan 13, 2023

    MaxMedov
    I think you can use tcp::collect.

     

    refer tcp collect start irule 

    when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

    and you can check the sni, cn, etc... in "when CLIENT_DATA "

G-Rob's avatar
G-Rob
Icon for Employee rankEmployee
Jan 10, 2023

Max,

Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.