Forum Discussion

Karthick1's avatar
Karthick1
Icon for Cirrus rankCirrus
Aug 21, 2020

Irule to match SNI

I have configured one vs with multiple ssl profile and one ssl profile marked as default SNI,

I need to write irule to match SNI ( during client hello ) only for assigned ssl profile rest it should block.

 

Eg, if my vs assigned 2ssl profile with common name, abc.com and ccc.com, i need to write irule to match only abc and ccc common names, rest should block, either by ip or access via some other common name.

 

Kindly share your inputs for writing irule

application delivery
BIG-IP
Irule for SNI
iRules
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Aug 21, 2020

    Hi Karthick,

    when HTTP_REQUEST {
	switch [HTTP::host] {
		"abc.com" -
		"www.abc.com" -
		"ccc.com" -
		"www.ccc.com" { }
		default { reject }
	}
}
    • Karthick1's avatar
      Karthick1
      Icon for Cirrus rankCirrus
      Aug 22, 2020

      Dear Eaa,

       

      Thanks for your comments, yes the same irule which you have shared i have done using class match.

       

      but i need to match using SNI during client Hello. I tried using this cmd "SSL::sni name " but it is not working.

       

       

      • Enes_Afsin_Al's avatar
        Enes_Afsin_Al
        Icon for MVP rankMVP
        Aug 23, 2020

        Hi Karthick,

        Can you try with [SSL:extension sni name] ?

        when CLIENTSSL_CLIENTHELLO {
	if { [SSL:extension sni name] ends_with "abc.com" } {
		# ..
	}
}