iRule to accept client then check certificate

Question

Hi everyone 🙂I need help combining an iRule with doing this:1. Accept client with specific IP only&nbsp;2. For all the rest (not that specific IP), I want to check if the CN contains, for example, *abc.comIf yes - accept that the clientif no - reject the client.Thank you!

maxmedov · Answer

Paulius&nbsp;Thank you! I'll try it and update

paulius · Answer

MaxMedov The following could work for you and you can just add additional else if statements for the differents hosts that you have to check. Keep in mind the following has an iRule and then the CLI configuration for an associated data-group for a list of IPs that you want to allow without verifying the CN.
*** iRule ***

when CLIENT_ACCEPTED priority 500 {

set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 510 {

set HOST [string tolower [HTTP::host]]

if { !([--class match [IP::remote_addr] == CLASS_NoHostVerificationIPs]) } {
        if { !($HOST == "www.domain.com") } {
            reject
        else { 
            pool $DEFAULT_POOL
        }
    } else {
        pool $DEFAULT_POOL
    }

}

*** Data-group ***

ltm data-group internal CLASS_NoHostVerificationIPs {
    records {
        1.1.1.1/32 { }
    }
    type ip
}
&nbsp;

Forum Discussion

iRule to accept client then check certificate

2 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

Thumbprint of the client ssl certificate

iRule to accept client then SSL cert validation

BIG-IQ Client Certificate (PKI) Authentication

Automate Let's Encrypt Certificates on BIG-IP

Geolocation accept per url path