Forum Discussion
Nimbostratus2 Way SSL for one pool only
Greetings all,
I met with F5 one week ago, so I am totally newbie, but i want to get rid of our apache https proxy, but I don't know how.
My apache proxy handles 8 proxy balancer with many members and 8 ProxyPass directive, but one of the proxy balancers need 2 way SSL authentication in this way:
SSLVerifyClient require
RequestHeader set X-Forwarded-Client-Cert "%{SSL_CLIENT_CERT}s"
I guess I need to write an Irule, but how?
Regards!
Andy_McGrathCumulonimbus
The apache proxy SSLVerifyClient is used to enable SSL Mutual Authentication or two-way SSL authentication. On F5 LTM this is done within an
under theSSL Client Profile
section.Client AuthenticationAs a minimum set the
option toClient Certificate
and set therequire
to the CA Root Certificate (which you will need to upload to the F5 device) within the SSL Client Profile you are using on the Virtual Server.Trusted Certificate AuthoritiesFor more details see the following:
K15137: Configuring two-way SSL authentication to the Configuration utility
- Kevin_Stewart
Employee
Consider that TLS functions below layer 7 (application layer) in the OSI model, so by the time you have access to a URI value (ex. "/company-online-app"), you've already completed the TLS handshake. You can, however, trigger a TLS renegotiation with client cert request quite simply with APM (Access Policy Manager). Otherwise, you can set Client Authentication in the client SSL profile to request, which will prompt, but still let users in if they don't present a certificate.
