Forum Discussion
ashbeyk_127079
Nimbostratus
NimbostratusConditional client cert and LDAP auth
I am trying to create a reverse proxy using iRules. This requires that certain URLs require client certs, others dont and that certain URLs require LDAP auth, others dont.
I am checking the passe...
ashbeyk_127079Nimbostratus
NimbostratusThe sequence of events is:
In HTTP_REQUEST:
1) Check incoming URL
2) If target needs a client cert then do SSL::renegotiate
3) If target also needs LDAP auth (which should be prompted for after the cert auth), send back a 401
If I try to do both 2 and 3 in the HTTP_REQUEST section I see the following when running some snooping software on the IE browser:
ERROR_INTERNET_SECURITY_CHANNEL_ERROR
The only way I can get it to work is to allow the connection through to the back end server then intercept the response with HTTP_RESPONSE and change it to send a 401 back to the browser. This works but I dont want any traffic to reach the back end server before all auth has completed.
Firefox behaves differently-the LDAP auth dialog appears first followed by the cert dialog ~ 20 seconds later. Again this is not ideal.
So, is there any way to do conditional cert auth and LDAP auth after examining the incoming URL but before any traffic has reached the target server?
