Forum Discussion
Thornid
Nimbostratus
NimbostratusRestrict Source IPs iRule
Hi all Forgive what may be such an easy iRule question but unfortunately my experience with them is rather limited and time is of the essence. We have an iRule which looks to be doing something w...
ThornidNimbostratus
NimbostratusHi iaine
Hasn't quite worked as expected. I added the new code snippet as follows:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 1.2.3.4/32] } {
SSL::profile new-ssl-profile
set sourceip 1
}
}
when CLIENTSSL_CLIENTCERT priority 500 {
if {[info exists sourceip] }{
return}
set cnAllowClass "[string range [virtual name] 0 end-2]cn_allow_class"
set clientCertRequiredClass "[string range [virtual name] 0 end-2]client_cert_required_class"
set clientCertHeaderName "ssl_client_cert"
set clientIP [IP::client_addr]
if {[SSL::cert count] eq 0} {
reject
return
} else {
set subjectDN [string tolower [X509::subject [SSL::cert 0]]]
if {[class match $subjectDN contains $clientCertRequiredClass] ne 0} {
set clientCertHeaderValue [b64encode [SSL::cert 0]]
set flgInsertClientCertHeader 1
}
}
set cnExists [class match $subjectDN contains $cnAllowClass]
if {$cnExists ne 0} {
} else {
reject
}
}
...yet when we debug this we see that the iRule does not stop at the CLIENTSSL_CLIENTCERT event and we get this log:
TCL error: /Common/test-irule <HTTP_REQUEST> - can't read "clientCertHeaderName": no such variable while executing "HTTP::header exists $clientCertHeaderName"Any ideas?
