TJ_Vreugdenhil
Cirrus
CirrusAFM FQDN whitelist outbound HTTP (host header) and HTTPS (SNI sub-CA cert) Data Group iRule
Hello! - We would like to be able to create a AFM FQDN whitelist irule with a datagroup entry specifically to match host header with HTTP and to match SNI with HTTPS. Decrypted inspection would utilize company sub-CA cert/key based on existing client-trusted CA.
Does someone have a example data group and iRule to use for this? How can I match on an existing sub-CA cert?
Would something like this work?
ltm data-group internal FQDN_ALLOWED_LIST {
records {
.site1.com { }
.site2.com { }
}
type string
}
ltm data-group internal CLIENT_CERT_INFO {
records {
companycertname { }
}
type string
}
#Apply to outbound AFM HTTPS VIP
when CLIENTSSL_HANDSHAKE {
if { [SSL::extensions exists -type 0] } then {
set tls_sni_extension [SSL::extensions -type 0]
}
}
when HTTP_REQUEST {
if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) && ([class match $tls_sni_extension contains CLIENT_CERT_INFO]) } {
log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST"
return
} else {
log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST"
drop
}
}
#Apply to outbound AFM HTTP VIP
when HTTP_REQUEST {
if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) } {
log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST"
return
} else {
log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST"
drop
}
}Thanks!!
TJ