Forum Discussion
NimbostratusCAC Auth triggered by specific URI via iRule
I am looking for a way to have the BIG-IP perform CAC auth on behalf of a server but only specifically for a URI / page that the user connects to. This is what I have so far but I am not sure how to tell the F5 which ocsp auth profile to use or even the specific CA file to use. I am trying to avoid having to send anything to the server for processing via header and instead just wish to have the irule trigger the CAC auth requirement ONLY for a specific page. Any thoughts?
This is what I have so far...
when HTTP_REQUEST {
if { ( [string tolower [HTTP::uri]] contains "/cacauth" ) } {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
2 Replies
Mike_P_By the way... This is for ver 11.5.3 LTM with APM. I have APM profiles and also LTM profiles that already work perfectly with CAC auth and OCSP checking but am trying to figure out how to best implement one of those methods via an irule specific to a page.
- Mike_P_
I think I answered my own question after finding this link:
https://devcentral.f5.com/wiki/irules.ssl__authenticate.ashx
I added some log statements and now I see the F5 is authenticating properly and it sends the http request to the server, but the server was also set up to require cac and, thus, was not allowing the connection.
