Forum Discussion

Ryan_Rowe_79249's avatar
Ryan_Rowe_79249
Icon for Nimbostratus rankNimbostratus
Sep 24, 2009

Rule to use different SSL Profile

I need a rule that when someone comes in to point to a different SSL Cert profile (ie. address a,b,c use serverSSL; all others use client SSL)...would that be possible to do in 1 rules or should I create 2 Virtual Servers with 2 different profiles and put an IP restriction rule in?
application delivery
dev
devops
iRules
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2009
    Here's an example that may help (from the SSL::enable command on the iRules wiki page): 

     
 when CLIENT_ACCEPTED { 
     if { !([IP::addr [IP::client_addr] eq 10.0.0.0/8]) } { 
       SSL::enable 
       TCP::release 
       set sslenable 0 
    }

    The logic above essentially says "if it's a NOT a 10.x address, use SSL." You can easily enable/disable serverside or clientside SSL with the SSL::enable and SSL::disable commands. Have a look at:

    http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__enable.html

    http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__disable.html

    HTH,

    Matt
  • Ryan_Rowe_79249's avatar
    Ryan_Rowe_79249
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2009
    So I am guessing that this would be what I am looking for: 

     
 when CLIENT_ACCEPTED { 
 if {[matchclass [IP::client_addr] equals $::] }{ 
 SSL::enable clientside 
 SSL::disable serverside 
 } else { 
 SSL::disable clientside 
 SSL::enable serverside 
 } 
 }

    This (if I am reading it right) will enable the clientside SSL for a set of ip's and disable the SSL on the serverside. And the other way if not. Then I set both cert profiles in the Virtual Server.

    Is this right?