Forum Discussion
Brandon_nodnarb
Nimbostratus
NimbostratusNeed help with an irule to determine path
We have a requirement for our external customers to present a valid certificate. We have a rule for this, but we need a rule in front of this one that says anybody coming from our internal/trusted ip range gets passed straight to the pool and not to the rule that verifies certificates. Here is our current rule. Any help would be greatly appreciated.
Thanks,
Brandon
for testing purposes lets use 192.168.100.0/24 for our trusted ip range.
and pool "test_pool"
CURRENT IRULE
when CLIENTSSL_CLIENTCERT {
check the status of the Client cert
store the value in the session table
session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180
}
when HTTP_REQUEST {
set id [SSL::sessionid]
look up this session to find out what our Cert status is
if we see that the status is OK then we insert a header
set y [session lookup ssl $id]
if { $y contains "ok" } {
HTTP::header insert SSLCLientCertStatus $y
} else {
we get here because the status was not "ok"
HTTP::redirect http://yourcertisinvalid.com/nogood.htm
}
}
Brandon_nodnarbi've tried using varients of this rule, but keep getting token errors, and parse errors....
do no examples in the configuration Guide for LTM work!!!!!?????
rule my_iRule {
when CLIENTSSL_HANDSHAKE {
if { [IP::local_addr] == 10.10.10.10 } {
use pool my_pool
}
}- I see a couple of problems with the code.
1. When entering a rule in the GUI, you don't include the "rule rule_name {" piece of the code. The GUI strips this out and includes it when saving the configuration to the configuration store.
2. The braces don't match up. There is no closing brace for the "rule rule_name" line.
Give this a try...when CLIENTSSL_HANDSHAKE { if { [IP::addr [IP::local_addr] equals "10.10.10.10"] } { use pool my_pool } }
I pulled this out of this post:
http://devcentral.f5.com/default.aspx?tabid=28&forumid=5&postid=1540&view=topic
-Joe - Brandon_nodnarbThanks. I will give that a try. As a general rule I don't include irule my_irule in my irules. the example comes straight from F5.
Brandon - One more thing. If the SSLCLientCertStatus header is used for authorization, then you should be sure to remove it first in case a client is trying to trick you.
