For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

John_Antony_162's avatar
John_Antony_162
Icon for Nimbostratus rankNimbostratus
Oct 09, 2014

IRule to Check Certificate Subject CN and then change host header

Hi,

We have have 11.3.x version with LTM and APM. I am looking to use iRule to check certificate subject CN value[cert used for authentication] and change the host header value before sending the traffic to the destination pool.

I am not an expert on iRule however with various Dev central articles, I created this. I also have APM which checks the "On Demand cert authentication". We need this iRule to run only when the request pass the APM successfully [so I am using ACCESS_POLICY_COMPLETED ]

I am getting below error.. 01070151:3: Rule [/Common/Test_iRule] error: line 1: [wrong args] [when ACCESS_POLICY_COMPLETED ] line 3: [undefined procedure:

iRule:

when ACCESS_POLICY_COMPLETED

{

when CLIENTSSL_CLIENTCERT 
{

if {[SSL::cert count] > 0}
    {
    set cert [SSL::cert 0]
    set subject [string tolower [X509::subject $cert]]
    set clientIP [IP::client_addr]
    if { $subject contains "cn=vendor-a" }
        {
        HTTP::header replace Host vendor-a.test.com
        }
else if { $subject contains "cn=vendor-b" }
        {
        HTTP::header replace Host vendor-b.test.com
        }           

    else {
        log $clientIP
        log local0. "cert CN not valid"
        reject
        }
    }
}

}