Forum Discussion

e0013192_143645's avatar
e0013192_143645
Icon for Nimbostratus rankNimbostratus
Mar 29, 2017

Client Authentication for Specific URI

Is there a way to terminate SSL for a VS and use client SSL authentication, but only if the are going to anything in /SOAP. So if they request there would be not client SSL authentication required, but if they go to they will be required to authenticate.

 

application delivery
iRules
LTM
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 08, 2017

    Hi e0013192,

    you may take a look to the iRule below. It changes the SSL settings to require authentication if a specific URI was requested, and then simply pauses the ongoing HTTP request until a SSL re-negotiation has been successfully completed. 

    when CLIENT_ACCEPTED {
    set session_cert 0
}
when CLIENTSSL_HANDSHAKE { 
    if { $session_cert } then {
        if { [SSL::cert count] > 0 } then {
            log -noname local0.debug "Client cert is OK; releasing HTTP request." 
            HTTP::release 
            set session_cert 0
        } else {
            log -noname local0.debug "Client cert is not OK; rejecting TCP connection." 
            reject
        }
    }
}
when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] starts_with "/soap" } then {
        log -noname local0.debug "Certificate required for: [HTTP::uri]" 
        if { [SSL::cert count] == 0} { 
            log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
            set session_cert 1
            HTTP::collect 
            SSL::authenticate always 
            SSL::authenticate depth 9 
            SSL::cert mode require 
            SSL::renegotiate 
        }
    }
}

    Note: You have to configure the "Trusted CA" and "Advertises CA" settings in your Client SSL Profile, but leave the "Client Certificate" setting to "Ignore". This will be controlled by this iRule.

    Cheers, Kai