Gabor_Torok_937
Feb 08, 2006Nimbostratus
Blacklisting with iRule + iControl
Hi,
We'd like to introduce a blacklisting feature on our redundant F5 devices as follows:
- We've created an external data group that can be updated whenever the content of blacklist has changed,
- We've added an iRule to our virtual server that does the following:
. It gets triggered when CLIENTSSL_HANDSHAKE,
. It checks if the certificate serial number of the clien is on the blacklist
. If it's on the blacklist it rejects the connection,
. If it's not on the blacklist it does nothing.
- We're planning to use upload_file method from System/ConfigSync interface for updating the blacklist.
I have two questions:
1.) We've noticed that using the aforementioned method is not considered as a configuration change. Consequently, the data group content is not read by F5 system automatically. How can we let the system know that it's time to re-read the content of an external data group so that our iRule will always have an up-to-date array of certificate serial numbers?
2.) How can we sync the two devices when updating the data group only on one of them? Is there such an API that makes it possible? Remember, uploading a file is seemingly not treated as a configuration change. Or shall we use brute force and upload the file to both devices? That doesn't sound a nice solution, though seems to be efficient.
Thanks for your help in advance,
Tote