Client authentication and Pool selection
I want to implement a client authentication solution based on the irule written by Kai (https://devcentral.f5.com/questions/client-authentication-for-specific-uri-52458 ).
Here is my irule:
when CLIENT_ACCEPTED { set session_cert 0 } when CLIENTSSL_CLIENTCERT { if { $session_cert } then { if { [SSL::cert count] > 0 } then { HTTP::release set session_cert 0 set subject_dn [X509::subject [SSL::cert 0]] } else { reject } } } when HTTP_REQUEST { if { ( [HTTP::uri] contains "/X509" ) } { log -noname local0.debug "Certificate required for: [HTTP::uri]" if { [SSL::cert count] == 0} { log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." set session_cert 1 HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } else { HTTP::header insert W_Subject_dn $subject_dn pool iamintsit.etc_8443_pool
} } else { log local0.debug "From [IP::client_addr] go to pool" pool mypool_pool }
}
The process of the PIV card interaction works fine, however the traffic get stuck at clientssl_clientcert rule once the cert is found!
After running a capture I noticed the following error: F5RST: No server selected.
So basically F5 cannot find a pool member if it is not defined under default pool. Apparently once the cert is found F5 exits the irule and looks for the default pool. My expectation is to have the HTTP_REQUEST rule re-scanned for the pool selection.
Since I would like to control everything within the irule, because I want to add some headers, I cannot define a default pool.
thanks for your help. PS: Also I used clientssl_clientcert instead of clientssl_handshake. The latter didn't work.