Forum Discussion

vvskaladhar_488's avatar
vvskaladhar_488
Icon for Nimbostratus rankNimbostratus
Jun 19, 2018

irule modification help and new irule for allow specific ips only

Hello All,

Can you please let me know if we can have an irule to allow only selected ip ranges to access TLSV1.0 and V1.1 on the F5 VIP ? Also currently i am using below irule to find out the TLS traffic hitting to virtual server and i wanted to add uri informaiton also to be logged in below irule. please let me know what is the addition i need to add for this irule.

when CLIENTSSL_CLIENTHELLO { set virtual_server [LB::server] set userip [IP::client_addr] set SSL_version [SSL::cipher name] set SSL_PROTOCOL [SSL::cipher version]

if {$SSL_PROTOCOL == "TLSv1"} {

log local0. "Warning: $userip - $SSL_version - $SSL_PROTOCOL - $virtual_server"

}

}

1 Reply

  • You can use a code like that:

     

    when CLIENTSSL_CLIENTHELLO { 
    
        set virtual_server [LB::server] 
        set userip [IP::client_addr] 
        set SSL_version [SSL::cipher name] 
        set SSL_PROTOCOL [SSL::cipher version]
        set TLS_ServerName [ expr {[SSL::extensions exists -type 0] ? [string range [SSL::extensions -type 0] 9 end] : "" }]
        log local0. $TLS_ServerName
    
        if {$SSL_PROTOCOL == "TLSv1" && ![IP::addr [IP::remote_addr] equals 192.168.1.0/24]} {
            log local0. "Warning: $userip - $SSL_version - $SSL_PROTOCOL - $virtual_server - $TLS_ServerName"
            reject
        } else {
            log local0. "Informational: $userip - $SSL_version - $SSL_PROTOCOL - $virtual_server - $TLS_ServerName"
        }
    }

    the TLS_ServerName variable contains the value of the Servername extension. this extension may contain the hostname of the request!