Forum Discussion
Stefan_Klotz
Apr 24, 2023Cumulonimbus
Client-Certificate and IP-Whitelisting via Policy or iRule?
We have a requirement to verify for a valid client-certificate (not expired and issued from a trusted CA), but also accept a bypass if the source-IP is trusted. I have the following questions for the...
- Apr 25, 2023
I would approach this by having two separate client SSL profiles - one without client authentication (bypass) and one with client authentication (require). And then use an iRule to switch between them based on the source IP.
create ltm profile client-ssl CLIENTSSL-NO-CLIENT-AUTH defaults-from <PARENT CLIENT SSL PROFILE> cert-key-chain add { <CERT KEY CHAIN NAME> { cert <CERT NAME>.crt key <KEY NAME>.key chain <CA BUNDLE NAME>.crt } } create ltm profile client-ssl CLIENTSSL-CLIENT-AUTH defaults-from <PARENT CLIENT SSL PROFILE> cert-key-chain add { <CERT KEY CHAIN NAME> { cert <CERT NAME>.crt key <KEY NAME>.key chain <CA BUNDLE NAME>.crt } } peer-cert-mode require ca-file <ROOT CA NAME>.crt create ltm data-group internal DG-SSL-CLIENT-AUTH-BYPASS type ip records add { <WHITELISTED IP 1> <WHITELISTED IP 2> ... } when CLIENT_ACCEPTED { set DEBUG 0 set CLIENT_IP [IP::client_addr] if { [class match $CLIENT_IP equals DG-SSL-CLIENT-AUTH-BYPASS] } { # Skip SSL client authentication for whitelisted source IPs SSL::profile CLIENTSSL-NO-CLIENT-AUTH if { $DEBUG } { log local0. "$CLIENT_IP - SSL client authentication bypassed" } } else { # Enforce SSL client authentication for all other source IPs SSL::profile CLIENTSSL-CLIENT-AUTH if { $DEBUG } { log local0. "$CLIENT_IP - SSL client authentication enforced" } } }
May 10, 2023
That's great. Glad I could help. I also agree with those modifications you made - it simplifies the configuration.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects