Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

iRule to check the client IP along with the client certificate CN

Hi,

I'm trying to narrow the accepted traffic to be from a source IP address with a specific common name ( from the authorized certificate), but im getting an error:

can't read "subject": no such variable I already inserted the client certificate in the client SSL profile Trusted Certificate Authorities and put it as required.

the iRule is:

when HTTP_REQUEST {

if {  ([HTTP::uri] starts_with "/Test/Service-One") && ([IP::addr [IP::client_addr] equals 1.2.3.4/32])  } {
    if { $subject contains "CN=CL_CN" } {
            log local0.info "BW_C114 clientIP:[IP::client_addr] accessed 19696_Pool With Certificate OK"
            pool AP_19696           
         }
    } 
elseif {   ([HTTP::uri] starts_with "/Test/Service-Two") && ([IP::addr [IP::client_addr] equals 1.2.3.5/32]) } {
            log local0.info "BW_C115 clientIP:[IP::client_addr] accessed 19698_Pool"
            pool AP_19698
         } 
else {
    log local0.info "[HTTP::uri]"
            log local0.info "BW_Reject clientIP:[IP::client_addr] was rejected policy Violation"
            reject
}  

}

Any help please Thank you

0
Rate this Question
Comments on this Question
Comment made 4 months ago by Alan Moen 122

Check here.

  set cert [SSL::cert 0]
  set subject [X509::subject $cert]

You're not setting $subject anywhere before using it. The above snippet (from the link) may help.

1
Comment made 4 months ago by A.Alkhuja 54

It worked,

Thank you Alan.

0

Answers to this Question