Thornid
Jul 01, 2019Nimbostratus
Restrict Source IPs iRule
Hi all
Forgive what may be such an easy iRule question but unfortunately my experience with them is rather limited and time is of the essence. We have an iRule which looks to be doing something with the client certificate as you can see:
when CLIENTSSL_CLIENTCERT priority 500 {
set cnAllowClass "[string range [virtual name] 0 end-2]cn_allow_class"
set clientCertRequiredClass "[string range [virtual name] 0 end-2]client_cert_required_class"
set clientCertHeaderName "ssl_client_cert"
set clientIP [IP::client_addr]
if {[SSL::cert count] eq 0} {
reject
return
} else {
set subjectDN [string tolower [X509::subject [SSL::cert 0]]]
if {[class match $subjectDN contains $clientCertRequiredClass] ne 0} {
set clientCertHeaderValue [b64encode [SSL::cert 0]]
set flgInsertClientCertHeader 1
}
}
set cnExists [class match $subjectDN contains $cnAllowClass]
if {$cnExists ne 0} {
} else {
reject
}
}
...what we need to do is add something in before this code that will say, in plain English:
"if the source IP address is a.b.c.d, then use SSL profile abcd. If not, then use SSL profile efgh."
Any ideas on how we can achieve this?
Thank you.