Forum Discussion
Brad_53264
Nimbostratus
NimbostratusRoute traffic based on SSL client certificate
I need to route incoming traffic to two different pools based on matching a pattern of the SSL client certificate subject.
Here are examples of 4 different SSL client certificates. ...
nitass
Employee
Employeee.g.
[root@ve1023:Active] config b virtual bar list
virtual bar {
snat automap
destination 172.28.19.79:443
ip protocol 6
rules myrule
profiles {
myclientssl {
clientside
}
tcp {}
}
}
[root@ve1023:Active] config b profile myclientssl list
profile clientssl myclientssl {
defaults from clientssl
ca file "root.crt"
peer cert mode require
}
[root@ve1023:Active] config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
set vs "[IP::local_addr]:[TCP::local_port]"
}
when CLIENTSSL_CLIENTCERT {
set subject_dn [X509::subject [SSL::cert 0]]
if {[class match -- $subject_dn contains subject_list]} {
pool foo1
} else {
pool foo2
}
}
when SERVER_CONNECTED {
log local0. "$subject_dn | [IP::client_addr]:[TCP::client_port] -> $vs -> [IP::server_addr]:[TCP::server_port]"
}
}
[root@ve1023:Active] config b class subject_list list
class subject_list {
"ABC.100.1232123"
}
[root@ve1023:Active] config cat /var/log/ltm
Feb 3 09:07:20 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.100.1232123,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50591 -> 172.28.19.79:443 -> 200.200.200.101:80
Feb 3 09:07:27 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.300.5341213,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50593 -> 172.28.19.79:443 -> 200.200.200.102:80
Feb 3 09:07:37 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.300.5341213,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50596 -> 172.28.19.79:443 -> 200.200.200.102:80
Feb 3 09:07:44 local/tmm info tmm[4369]: Rule myrule SERVER_CONNECTED: CN=ABC.100.1232123,O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB | 172.28.19.80:50598 -> 172.28.19.79:443 -> 200.200.200.101:80