Forum Discussion

Fletcher_Cocquy's avatar
Fletcher_Cocquy
Icon for Nimbostratus rankNimbostratus
Jan 20, 2010

iRule to tack on full domain

Fellow BigIP users,   we are looking for an iRule to rewrite unqualified domain requests to the FQDN.   This is coming from our security folks who would like the HTTPS requests to all be ful...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 20, 2010
Hi Fletch,

 

 

Are you trying to eliminate the mismatched cert warnings altogether? Or just handle clients who request the unqualified domain (UQDN?) after they accept the mismatched cert?

 

 

If the former, you'd have to handle the redirect before they make a request for HTTPS. You could try doing this on an HTTP VIP assuming the clients make a request via HTTP first. You would need to hard code the FQDN that corresponds to each "UQDN" that is requested. This could be done in a datagroup and referenced using the findclass or class command.

 

 

For the latter, I don't know of a way to get any details on the cert that LTM uses as a server for the clientside connection. You can get access the client's public cert if the client provides a cert, using SSL::cert (Click here). PROFILE::clientssl would give you details on the client SSL profile currently in use. But the options there are along what you can find by running 'b profile clientssl list all' at the command line. Nothing explicitly tells you the common name of the cert. I don't think you can access LTM's server cert from an iRule.

 

 

Maybe someone can suggest a way though. If not, you could hard code the UQDN to FQDN and then redirect the client to the correct domain name.

 

 

Aaron