Irule to match SNI

Question

I have configured one vs with multiple ssl profile and one ssl profile marked as default SNI,

I need to write irule to match SNI ( during client hello ) only for assigned ssl profile rest it should block.

Eg, if my vs assigned 2ssl profile with common name, abc.com and ccc.com, i need to write irule to match only abc and ccc common names, rest should block, either by ip or access via some other common name.

Kindly share your inputs for writing irule

enes_afsin_al · Answer

Hi Karthick,Can you try with [SSL:extension sni name] ?when CLIENTSSL_CLIENTHELLO {
	if { [SSL:extension sni name] ends_with "abc.com" } {
		# ..
	}
}

enes_afsin_al · Answer

Hi Karthick,when HTTP_REQUEST {
	switch [HTTP::host] {
		"abc.com" -
		"www.abc.com" -
		"ccc.com" -
		"www.ccc.com" { }
		default { reject }
	}
}

karthick1 · Answer

Dear Eaa, &nbsp;Thanks for your comments, yes the same irule which you have shared i have done using class match. &nbsp;but i need to match using SNI during client Hello. I tried using this cmd "SSL::sni name " but it is not working.&nbsp;&nbsp;

karthick1 · Answer

thanks Eaa&nbsp;

Forum Discussion

Irule to match SNI

4 Replies

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

/32 IPs in Datagroup class match not matching

irule - stop processing on condition match

APM IP Subnet Match - single IP list

SNI Based on IRule

Where is a class match list located?