Forum Discussion

Hille_de_Graaf_'s avatar
Hille_de_Graaf_
Icon for Nimbostratus rankNimbostratus
Jul 13, 2006

convert v4.5 irules to v9.1.2 irules

We have a bigip2000 and doing some offloading for SSL-servers. We are also checking client certificates via an irule. I was used to the scripting tool in version 4.5, but TCL is somewhat else:

 

 

In 4.5 we use the following irule:

 

==========

 

if (http_header("SSLClientCertStatus") == one of ccert_ok) {

 

use pool Portal-apps

 

}

 

else if (http_header("SSLClientCertStatus") == "NoClientCert") {

 

redirect to "https://portal.rdc.nl/errors/nocert.htm"

 

}

 

else {

 

redirect to "https://portal.rdc.nl/errors/cert_error.htm"

 

}

 

=========

 

ccert_ok is a class that checks on two values

 

 

Can anybody help me or point me out what the irule should be in version 9

 

 

Thanks in advanced

1 Reply

  • In v.9.x, you would use the matchclass to replace the "one of" command in v4.x. You'll have to create a Data Group called ccert_ok with the acceptable values.

    when HTTP_REQUEST {
      set hdr [HTTP::header "SSLClientCertStatus"]
      if { [matchclass $hdr equals $::ccert_ok] } {
        pool Portal-apps
      } elseif { $hdr equals "NoClientCert" } {
        HTTP::redirect "https://portal.rdc.nl/errors/nocert.htm"
      } else {
        HTTP::redirect "https://portal.rdc.nl/errors/cert_error.htm"
      }
    }

    Just keep in mind that the equals command is case sensitive, so you might want to make all the strings lower case in your ccert_ok data group and then wrap the HTTP::header command with a "string tolower" command to convert the header to lowercase. But, if you know that case won't be an issue, then just leave it as is.

    Hope this helps...

    -Joe