cancel
Showing results for 
Search instead for 
Did you mean: 

Irule to match SNI

Karthick1
Cirrus
Cirrus

I have configured one vs with multiple ssl profile and one ssl profile marked as default SNI,

I need to write irule to match SNI ( during client hello ) only for assigned ssl profile rest it should block.

 

Eg, if my vs assigned 2ssl profile with common name, abc.com and ccc.com, i need to write irule to match only abc and ccc common names, rest should block, either by ip or access via some other common name.

 

Kindly share your inputs for writing irule

4 REPLIES 4

Hi Karthick,

when HTTP_REQUEST { switch [HTTP::host] { "abc.com" - "www.abc.com" - "ccc.com" - "www.ccc.com" { } default { reject } } }

 

Dear Eaa,

 

Thanks for your comments, yes the same irule which you have shared i have done using class match.

 

but i need to match using SNI during client Hello. I tried using this cmd "SSL::sni name " but it is not working.

 

 

Hi Karthick,

Can you try with [SSL:extension sni name] ?

when CLIENTSSL_CLIENTHELLO { if { [SSL:extension sni name] ends_with "abc.com" } { # .. } }

 

Karthick1
Cirrus
Cirrus

thanks Eaa