Forum Discussion

Brad_53264's avatar
Brad_53264
Icon for Nimbostratus rankNimbostratus
Feb 03, 2012

Route traffic based on SSL client certificate

I need to route incoming traffic to two different pools based on matching a pattern of the SSL client certificate subject.

 

 

Here are examples of 4 different SSL client certificates.

 

 

 

CN=ABC.100.1232123,OU=Organization Unit 1,OU=Organization Unit 2,O=Organization,L=Location,ST=State,C=Country

 

CN=ABC.100.3212341,OU=Organization Unit 1,OU=Organization Unit 2,O=Organization,L=Location,ST=State,C=Country

 

CN=ABC.200.1321232,OU=Organization Unit 1,OU=Organization Unit 2,O=Organization,L=Location,ST=State,C=Country

 

CN=ABC.300.5341213,OU=Organization Unit 1,OU=Organization Unit 2,O=Organization,L=Location,ST=State,C=Country

 

 

 

I need all clients that have ABC.100 or ABC.200 in their subject to be routed to pool1, all other clients should be routed to pool2.

 

 

Ideally the list of ABC.100 and ABC.200 would be contained in flat file outside the iRule, so that it can be easily updated.

 

 

 

Can someone help create this iRule?

 

 

 

if ( subject matches ABC.100 or ABC.200 ) {

 

 

route pool1

 

 

} else {

 

 

route pool2

 

 

}

 

application delivery
dev
devops
iRules
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 03, 2012
    e.g. 

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve1023:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "root.crt"
   peer cert mode require
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        set vs "[IP::local_addr]:[TCP::local_port]"
}

when CLIENTSSL_CLIENTCERT {
        set subject_dn [X509::subject [SSL::cert 0]]

        if {[class match -- $subject_dn contains subject_list]} {
                pool foo1
        } else {
                pool foo2
        }
}

when SERVER_CONNECTED {
        log local0. "$subject_dn | [IP::client_addr]:[TCP::client_port] -> $vs -> [IP::server_addr]:[TCP::server_port]"
}
}
[root@ve1023:Active] config  b class subject_list list
class subject_list {
   "ABC.100.1232123"
}

[root@ve1023:Active] config  cat /var/log/ltm
Feb  3 09:07:20 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.100.1232123,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50591 -> 172.28.19.79:443 -> 200.200.200.101:80
Feb  3 09:07:27 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.300.5341213,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50593 -> 172.28.19.79:443 -> 200.200.200.102:80
Feb  3 09:07:37 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.300.5341213,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50596 -> 172.28.19.79:443 -> 200.200.200.102:80
Feb  3 09:07:44 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.100.1232123,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50598 -> 172.28.19.79:443 -> 200.200.200.101:80