Forum Discussion
Nimbostratusirule to select different SSL profiles based on the Client IP address
Hi wondering if anyone can help , I got requirement to enable client authentication on one of the URL, But only apply to one of the client , the rest are still keep using existing profile. so i will have 2 SSl profiles , both apply to the same virtual server. can i use an irule to select different profile based on the source IP address
thanks in advance
4 Replies
- Kevin_Stewart
Employee
Try this from the SSL::profile wiki page:
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] eq "1.1.1.1"]} { SSL::profile host1_profile } else { SSL::profile ssl_profile2 } } 
Tim_Enos_126618Yes, which SSL profile is used is determined by the iRule. You don't need to configure a default one, though it doesn't harm anything if you do.
For what it's worth, I'm using such an iRule for a purpose similar to yours:
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals "private_net"] } { SSL::profile A } else { SSL::profile B } }
leira_6079I realized this was an old post. The profile set in the CLIENT_ACCEPTED event occurred before ssl negotiation happen. I wonder why do you need SSL:renegotiate in the subsequent HTTP_REQUEST event.
- Tim_Enos_126618
@leira,
I should have never included that (when) statement in the first place, and have just now removed it from my original answer. Many apologies for the confusion.
Back to the original question, the only substantive difference between my answer and the first one offered is that it used a class in which the source IP of interest would be included.
FWIW I'm disinclined to hard-code an IP address as e.g. the address of the node of interest could change. Using a class as opposed to hard-coding an IP address in the iRule itself is IMO more appropriate as the former both precludes the need to modify the iRule itself and is more scalable (the class can be referenced by multiple iRules).
