Forum Discussion
AltostratusClient SSL cert Move Traffic To CDN -
NacreousIs BIGIP still in the new traffic flow?
client --> CDN --> BIGIP --> Origin server
Is yes, I guess you would not cache the uri which needs mTLS (client certificate authentication) at CDN level and that would be forwarded to the BIGIP. If this is the case, you can still use client certificate authentication on BIGIP. Or did I understood it wrong?
If BIGIP is not in the traffic flow for CDN and below is the traffic flow
client --> CDN --> Origin Server
Then you would need to see the option at CDN level to parse the client certificate and extract the values from it e.g. SubjectDN, Issuer, serial number and added in HTTP headers. These can be checked on the origin server for authorisation.
AltostratusCurrent state is client --> BIGIP --> Origin Server
today BIGIP make a client cert request and i allow base on uri who can access to some URLs without Cert and some of URLs i Validate Client certificate and allow only if the client cert valid
The further state
The Flow will be: client --> CDN --> BIGIP --> Origin server
we will move the (client certificate authentication) at CDN
but in the CDN we can't make (like irule check the Certificate Validation base URI)
we can make a client certificate request and if the client give the certificate inseat the certificate via HTTP header to bigip
(the CDN not make a PKI validation of the client certificate) in "Request" mode of the client certificate
the CDN can validate the client cert only if I work in Required mode of client cert - but its not good for us because we allow some of uri that work without CERT
now the question is if I BIGIP getting the CERT in HTTP header in base64
how I can validate that is trunst certificate but not only via Subject - I need to validate this is the certificate that my CA is give to client
