Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule to accept client then check certificate

MaxMedov
Cirrus
Cirrus

‎10-Jan-2023 01:15

Hi everyone 🙂
I need help combining an iRule with doing this:
1. Accept client with specific IP only 
2. For all the rest (not that specific IP), I want to check if the CN contains, for example, *abc.com
If yes - accept that the client
if no - reject the client.

Thank you!

Labels:
0 Kudos
2 REPLIES 2

Paulius
MVP
MVP

‎10-Jan-2023 08:59

@MaxMedov The following could work for you and you can just add additional else if statements for the differents hosts that you have to check. Keep in mind the following has an iRule and then the CLI configuration for an associated data-group for a list of IPs that you want to allow without verifying the CN.

*** iRule ***

when CLIENT_ACCEPTED priority 500 {

    set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 510 {

    set HOST [string tolower [HTTP::host]]

    if { !([--class match [IP::remote_addr] == CLASS_NoHostVerificationIPs]) } {
        if { !($HOST == "www.domain.com") } {
            reject
        else { 
            pool $DEFAULT_POOL
        }
    } else {
        pool $DEFAULT_POOL
    }

}

*** Data-group ***

ltm data-group internal CLASS_NoHostVerificationIPs {
    records {
        1.1.1.1/32 { }
    }
    type ip
}

 

0 Kudos

MaxMedov
Cirrus
Cirrus

‎11-Jan-2023 05:49

@Paulius Thank you! I'll try it and update

Copyright © 2023 Khoros, LLC