Client SSL profile based on a client ip address and SNI

Hi,

can you please give me the use case that you want to implement:

below irule that allow you to manage ssl profile regarding IP address:

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] eq "1.2.3.4"]} {
        SSL::profile client-ssl-1
    } else {
        SSL::profile client-ssl-2
    }
}

For SNI you can set it directly in client ssl profile in "Server Name" settings.

Just for information if you set multiple ssl client in your VS you have to set for each profil the "Server Name" and a defaul client ssl for on.

Example:

• client-ssl1 : toto.mydomain.com
• client-ssl2 : tata.mydomain.com
• client-ssl2 : *.mydomain.com (check "Default SSL Profile for SNI" setting )

Let me now if you need additional info.

Regards.

If you want to select client SSL profile based on client IP, you can create 2 virtual servers with same destination address, but with source IP condition.

 

SNI based profile selection is automatic when you assign more than one profile in VS. one and only one of these profile must have "Default for SNI" enabled. VS1 :

 

• source 0.0.0.0/0
• destination 1.2.3.4
• ssl profiles:
  • SSL_company.com (default for SNI)
  • SSL_company.org
  • SSL_company.co.uk

VS2:

 

• source 172.16.0.0/12
• destination 1.2.3.4
• ssl profiles:
  • SSL_company.com_VS2 (default for SNI)
  • SSL_company.org_VS2
  • SSL_company.co.uk_VS2