10-Jan-2023 03:22
Hi everyone 🙂
I need help writing an iRule to do this:
1. Accept only one client IP
2. For other clients who don't match that specific IP, I need to check that CN contains XXX in CLIENTSSL_CLIENTCERT
thank to accept those who have and reject those who haven't
Thank you very much!
10-Jan-2023 09:01
@MaxMedov The following could work for you and you can just add additional else if statements for the differents hosts that you have to check. Keep in mind the following has an iRule and then the CLI configuration for an associated data-group for a list of IPs that you want to allow without verifying the CN.
*** iRule ***
when CLIENT_ACCEPTED priority 500 {
set DEFAULT_POOL [LB::server pool]
}
when HTTP_REQUEST priority 510 {
set HOST [string tolower [HTTP::host]]
if { !([--class match [IP::remote_addr] == CLASS_NoHostVerificationIPs]) } {
if { !($HOST == "www.domain.com") } {
reject
else {
pool $DEFAULT_POOL
}
} else {
pool $DEFAULT_POOL
}
}
*** Data-group ***
ltm data-group internal CLASS_NoHostVerificationIPs {
records {
1.1.1.1/32 { }
}
type ip
}