Nimbostratus
EmployeeThat code actually just works on a single VIP. You just need the one client SSL profile that also has the Trusted Certificate Authorities option configured and Client Authentication set to "ignore". When the browser accesses the secure site URL, the iRule is forcing an SSL renegotiation and flipping the Client Authentication setting to "require".
CirrusYour expert feedback was helpful to implement similar conditional mTLS with confidence in 2023!
In another article you nicely explained purpose of HTTP:collect. 1) I wonder why do we need HTTP:release? 2) Does it matter calling it at the beginning or end? 3) I don't good explanation. I found without this piece HTTP_REQUEST_SEND does not fire.
Also, while we are renegotiation anyway 1) should we invalidate the ssl session? 2) What value it adds? 3) Otherwise, what's the pitafall not invalidating the session?
Will aprpeciate your response.
Thank you.