Forum Discussion
ashbeyk_127079
Nimbostratus
NimbostratusConditional client cert and LDAP auth
I am trying to create a reverse proxy using iRules. This requires that certain URLs require client certs, others dont and that certain URLs require LDAP auth, others dont.
I am checking the passe...
ashbeyk_127079Nimbostratus
NimbostratusThis is part of my code:
when HTTP_REQUEST {
.
.
if {$target_app != 0} {
if {([lsearch -exact $::apps_needing_cert $target_app] != -1) && ($have_cert == 0)} {
log local0. "Cert required, forcing renegotiate"
HTTP::collect
SSL::cert mode require
SSL::renegotiate
set need_cert 1
set need_ldap 1
log local0. "Setting need_cert to 1"
log local0. "Setting need_ldap to 1"
log local0. "Cert required, sent renegotiate"
if I put the 401 here it doesnt work-I just get a "not found" page.
HTTP::respond 401 content "" "WWW-Authenticate" "BASIC realm=\"$::realm\""
The HTTP::release is here:
when AUTH_SUCCESS {
log local0. "auth success event"
if {$tmm_auth_ldap_sid eq [AUTH::last_event_session_id]} {
log local0. "ldapauth success"
set have_ldap 1
log local0. "have_ldap set to 1"
HTTP::release
}
I'm doing this at the moment which works:
when HTTP_RESPONSE {
.
.
if {($have_cert eq "needs_renew") && ($target_app ne $::cert_renewal_app) } {
log local0. "expiring cert-redirecting to $::cert_renewal_page"
HTTP::redirect $::cert_renewal_page
} elseif {($need_ldap == 1) && ($have_ldap == 0)} {
log local0. "ldap required"
HTTP::respond 401 content "" "WWW-Authenticate" "BASIC realm=\"$::realm\""
