Forum Discussion
Client cert passthrough to server with i-rule
I've been fiddling with similar and at one point was using the following code.
A few notes - the SSL Client Profile needs to be set to request/require for this to work as this prompts the user to supply a client certificate.
You can un-comment the log line if you want to verify that the F5 is seeing the cert correctly. You could also change the redirect structure... in my case I was restricting users based upon the fact they *had* to present a certificate. You might have to change the header field that you insert depending on your application
*further side note* - this does no validation of the cert - it simply passes it straight on.
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } then {
set a variable for the whole cert - cut out the BEGIN and END crap though
set ssl_cert_whole [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0] ] ] "" ]]
log to show we are receiving the cert
log local0. "Client Certificate: [X509::subject [SSL::cert 0]]"
insert the whole cert as a header
HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" $ssl_cert_whole
} else {
log local0. "Restricted zone. No client cert detected - redirecting."
HTTP::redirect "https://error/error-page.htm";
}
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com