Forum Discussion

Cirrostratus

Jan 10, 2023

iRule to accept client without checking SSL but check for another clients

Hi everyone 🙂 I need help writing an iRule to do this: 1. Accept only one client IP 2. For other clients who don't match that specific IP, I need to check that CN contains XXX in CLIENTSSL_CLIEN...

application delivery

devops

Paulius

MVP

Jan 10, 2023

MaxMedov The following could work for you and you can just add additional else if statements for the differents hosts that you have to check. Keep in mind the following has an iRule and then the CLI configuration for an associated data-group for a list of IPs that you want to allow without verifying the CN.

*** iRule ***

when CLIENT_ACCEPTED priority 500 {

    set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 510 {

    set HOST [string tolower [HTTP::host]]

    if { !([--class match [IP::remote_addr] == CLASS_NoHostVerificationIPs]) } {
        if { !($HOST == "www.domain.com") } {
            reject
        else { 
            pool $DEFAULT_POOL
        }
    } else {
        pool $DEFAULT_POOL
    }

}

*** Data-group ***

ltm data-group internal CLASS_NoHostVerificationIPs {
    records {
        1.1.1.1/32 { }
    }
    type ip
}

Forum Discussion

iRule to accept client without checking SSL but check for another clients

Recent Discussions

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

DevCentral 2024 - Share Another Day

Check a Virtual Server's SSL Status

Leaked Credential Check with Advanced WAF

Another Bash script to backup a BIG-IP device.

Using F5 Distributed Cloud DNS Load Balancer health checks and DNS observability