cancel
Showing results for 
Search instead for 
Did you mean: 

AFM FQDN whitelist outbound HTTP (host header) and HTTPS (SNI sub-CA cert) Data Group iRule

TJ_Vreugdenhil
Altocumulus
Altocumulus

Hello! - We would like to be able to create a AFM FQDN whitelist irule with a datagroup entry specifically to match host header with HTTP and to match SNI with HTTPS. Decrypted inspection would utilize company sub-CA cert/key based on existing client-trusted CA.

 

Does someone have a example data group and iRule to use for this? How can I match on an existing sub-CA cert?

 

Would something like this work?

ltm data-group internal FQDN_ALLOWED_LIST { records { .site1.com { } .site2.com { } } type string }   ltm data-group internal CLIENT_CERT_INFO { records { companycertname { } } type string }   #Apply to outbound AFM HTTPS VIP when CLIENTSSL_HANDSHAKE { if { [SSL::extensions exists -type 0] } then { set tls_sni_extension [SSL::extensions -type 0] } } when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) && ([class match $tls_sni_extension contains CLIENT_CERT_INFO]) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } }   #Apply to outbound AFM HTTP VIP when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) } { log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST" return } else { log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST" drop } }

 

Thanks!!

TJ

 

 

0 REPLIES 0