09-Jan-2023 06:36
Hi everyone 🙂
Please advise the best way to combine an iRule with doing this:
1. Accept only client coming from 1 specific IP
then:
2. For the rest (who are not this specific IP), I want to check SSL CN, for example ABC.COM
3. If it does not contain ABC.COM, reject the connection
The meaning is the source of the 1 client come without the CN and I want to pass over him and check only for the rest
Thanks you!
Solved! Go to Solution.
12-Jan-2023 20:13
@MaxMedov,
I think you can use tcp::collect.
refer tcp collect start irule
when CLIENT_ACCEPTED {
# DEBUG On/Off : 1/0
set DEBUG 0
# disable client/serverside ssl profile by default
SSL::disable clientside
#SSL::disable serverside
if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }
# run TCP collect to check SNI for bypass before intercept SSL traffic
# log local0. "run client collect command"
TCP::collect
set monitor_id [ after 500 {
TCP::release
} ]
}
and you can check the sni, cn, etc... in "when CLIENT_DATA "
10-Jan-2023 09:37
Max,
Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.
12-Jan-2023 01:58
Hi@G-Rob, from what I know, I can't choose an iRule in LTM Policy for the checking SSL (containing specific CN)
Can I do it in LTM Policy only without an iRule?
18-Jan-2023 09:24
Yes, you can do all of those things. I have not used the SSL Certificate matching, so I would test in your lab before deploying.
12-Jan-2023 20:13
@MaxMedov,
I think you can use tcp::collect.
refer tcp collect start irule
when CLIENT_ACCEPTED {
# DEBUG On/Off : 1/0
set DEBUG 0
# disable client/serverside ssl profile by default
SSL::disable clientside
#SSL::disable serverside
if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }
# run TCP collect to check SNI for bypass before intercept SSL traffic
# log local0. "run client collect command"
TCP::collect
set monitor_id [ after 500 {
TCP::release
} ]
}
and you can check the sni, cn, etc... in "when CLIENT_DATA "
17-Jan-2023 17:19