Forum Discussion

A_Alkhuja_16976's avatar
A_Alkhuja_16976
Icon for Nimbostratus rankNimbostratus
Nov 05, 2018

iRule to check the client IP along with the client certificate CN

Hi,

I'm trying to narrow the accepted traffic to be from a source IP address with a specific common name ( from the authorized certificate), but im getting an error:

can't read "subject": no such variable I already inserted the client certificate in the client SSL profile Trusted Certificate Authorities and put it as required.

the iRule is:

when HTTP_REQUEST {

if {  ([HTTP::uri] starts_with "/Test/Service-One") && ([IP::addr [IP::client_addr] equals 1.2.3.4/32])  } {
    if { $subject contains "CN=CL_CN" } {
            log local0.info "BW_C114 clientIP:[IP::client_addr] accessed 19696_Pool With Certificate OK"
            pool AP_19696           
         }
    } 
elseif {   ([HTTP::uri] starts_with "/Test/Service-Two") && ([IP::addr [IP::client_addr] equals 1.2.3.5/32]) } {
            log local0.info "BW_C115 clientIP:[IP::client_addr] accessed 19698_Pool"
            pool AP_19698
         } 
else {
    log local0.info "[HTTP::uri]"
            log local0.info "BW_Reject clientIP:[IP::client_addr] was rejected policy Violation"
            reject
}

}

Any help please Thank you

application delivery
iRules
LTM

2 Replies

  • AlanMoen's avatar
    AlanMoen
    Icon for Cirrus rankCirrus
    Nov 05, 2018

    Check here.

      set cert [SSL::cert 0]
  set subject [X509::subject $cert]

    You're not setting $subject anywhere before using it. The above snippet (from the link) may help.