Forum Discussion

Tejaswini23_356's avatar
Tejaswini23_356
Icon for Nimbostratus rankNimbostratus
May 30, 2018

Need an irule for 2FA

Below is the pseudo logic requirement

If {Valid Cert exist && IP Range in Internal} Then Route to WebServer (Reverse Proxy) Pool-1 + Set HTTP_HOST Header. If {User accessed x DNS} Then set HTTP_HOST value as x DNS. else If {User accessed y DNS} Then set HTTP_HOST value as y DNS. end If else If {Valid Cert exist && IP Range not in Internal} Then Route to WebServer (Reverse Proxy) Pool-2 + Set HTTP_HOST Header. If {User accessed x DNS} Then set HTTP_HOST value as x DNS. else If {User accessed y DNS} Then set HTTP_HOST value as y DNS. end If else If {No Valid Cert exist && IP Range not in Internal} Then Route to WebServer (Reverse Proxy) Pool-3 + Set HTTP_HOST Header. If {User accessed x DNS} Then set HTTP_HOST value as x DNS. else If {User accessed y DNS} Then set HTTP_HOST value as y DNS. end If

end If

We have an existing application from which i can see how to validate cert and internal ip range but not sure but not sure of writing a proper irule for the above requirement. when CLIENT_ACCEPTED { set ::sslstatuscode 100 set fromBA 0 set gotcert 0 }

when CLIENTSSL_CLIENTCERT { set ::sslstatuscode 100 if {[SSL::cert count] > 0}{ set ::sslstatuscode [SSL::verify_result] log local0. "verify result 1 is [SSL::verify_result]" } }

when HTTP_REQUEST { SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode request SSL::renegotiate enable SSL::renegotiate

    log local0. "Renegociating Client Cert, got [SSL::cert count] certs"

    if {[SSL::cert count] > 0} {
        set ::sslstatuscode [SSL::verify_result]
        log local0. "verify result 2 is [SSL::verify_result]"
        set gotcert 1
    } else {
        set gotcert 0
    }

if { !([HTTP::uri] equals "/pwd") && !([HTTP::uri] equals "/2fa_dna") && !([HTTP::uri] equals "/2fa")}{ 

    if {$gotcert == 1} {
     We check if we're coming from one our Web Proxy
        if { ([class match [IP::remote_addr] eq WebProxy])} { 
            set fromBA 1
        }
     Or if we're coming from outside 
    } else {
        set fromBA 0
    }   

    log local0. "ssl status is $::sslstatuscode"
    if { ($gotcert == 1) && ($fromBA == 1) }{
        HTTP::redirect "https://application.com/pwd"
        log local0. "going to pwd"
    } elseif { ($gotcert == 1) && ($fromBA == 0) }{
        HTTP::redirect "https://application.com/2fa_dna"
        log local0. "going to 2fa_dna"
    } elseif { ($gotcert == 0) && ($fromBA == 1) }{
        HTTP::redirect "https://application.com/2fa"
        log local0. "going to 2fa"
    } else {
        HTTP::redirect "https://application.com/2fa"
        log local0. "going to else 2fa"
    }
}

}

application delivery
iRules
LTM
security
No RepliesBe the first to reply