Forum Discussion

Andreia's avatar
Andreia
Icon for Cirrus rankCirrus
Feb 14, 2023

[HELP PLEASE!] Client Certificate Validation based on URI

Hello! I need help making an iRule that does the following: 1 - if the request goes to "/auth" the client's certificate is not validated, but when BIG-IP forwards a request to the API server in the...
devops
Paulius's avatar
Paulius
Icon for MVP rankMVP

Andreia You might try the following iRule but I'm not 100% positive if this is the correct iRule so please do some testing prior to implementing this in production to ensure it is working the way you would expect.

 

when CLIENT_ACCEPTED priority 500 {

    set session_flag 0

}

when CLIENTSSL_HANDSHAKE priority 500 {

    if { [SSL::cert count] != 0 } {
        log "Client cert is OK; releasing HTTP request."
        HTTP::release
    }

}

when HTTP_REQUEST priority 500 {

    set URI [string tolower [HTTP::uri]]

    if { !(${URI} starts_with "/auth") } {
        log "Certificate required for: ${URI}"

        HTTP::collect
        set session_flag 1
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode require
        SSL::renegotiate

        if { [SSL::cert count] > 0} {
            if { [SSL::verify_result] == 0 }{
                return
            } else {
                set error_string [X509::verify_cert_error_string [SSL::verify_result]]
            }
            
        } else {
            set error_string "No client certificate provided"
            HTTP::respond 403 content "<html>Invalid client certificate: ${error_string}</html>"
        }
    } else {
        log "No certificate needed for: ${URI}"
    }

}

 

Andreia's avatar
Andreia
Icon for Cirrus rankCirrus
Feb 15, 2023

Hi,  Paulius !

Thank you for replying! I pasted the iRule in the test environment and the behavior is the same:
no pop-up window on the browser to select the client certificate. (there's a way to make this pop-up does not appear as happens on nginx with the "ssl_verify_client on" line? OK! I'm sorry I'm overlapping subjects! I will not go on with it right now.)

What is leaving me in doubt is because when I do a simple irule, with these same settings in the Profile SSL Client, with the list of certificates selected in the "Trusted Certificate Authorities", it works! But I actually need to handle this URI-related conditional. And if we try to do the opposite: when the request goes to "/auth" it wil turn OFF this client certificate verification? Can you help me with this?

Thanks!