Forum Discussion

Andreia's avatar
Andreia
Icon for Cirrus rankCirrus
Feb 14, 2023

[HELP PLEASE!] Client Certificate Validation based on URI

Hello! I need help making an iRule that does the following: 1 - if the request goes to "/auth" the client's certificate is not validated, but when BIG-IP forwards a request to the API server in the...
devops
Paulius's avatar
Paulius
Icon for MVP rankMVP

Andreia You might try the following iRule but I'm not 100% positive if this is the correct iRule so please do some testing prior to implementing this in production to ensure it is working the way you would expect.

 

when CLIENT_ACCEPTED priority 500 {

    set session_flag 0

}

when CLIENTSSL_HANDSHAKE priority 500 {

    if { [SSL::cert count] != 0 } {
        log "Client cert is OK; releasing HTTP request."
        HTTP::release
    }

}

when HTTP_REQUEST priority 500 {

    set URI [string tolower [HTTP::uri]]

    if { !(${URI} starts_with "/auth") } {
        log "Certificate required for: ${URI}"

        HTTP::collect
        set session_flag 1
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode require
        SSL::renegotiate

        if { [SSL::cert count] > 0} {
            if { [SSL::verify_result] == 0 }{
                return
            } else {
                set error_string [X509::verify_cert_error_string [SSL::verify_result]]
            }
            
        } else {
            set error_string "No client certificate provided"
            HTTP::respond 403 content "<html>Invalid client certificate: ${error_string}</html>"
        }
    } else {
        log "No certificate needed for: ${URI}"
    }

}

 

Andreia's avatar
Andreia
Icon for Cirrus rankCirrus
Feb 15, 2023

Paulius,

I did the test again on "In Private" mode. Look what logs reported:

Feb 15 10:48:28  err tmm1[16269]: 01220001:3: TCL error: /Common/irule_auth-opin-dev_v2 <HTTP_REQUEST> - can't read "error_strign": no such variable while executing "HTTP::respond 403 content "<html>Invalid client certificate: ${error_strign}</html>""
Feb 15 10:48:28 info tmm6[16269]: 01220002:6: Rule /Common/irule_auth-opin-dev_v2 <HTTP_REQUEST>: Certificate required for: /xyz/abc/customers/management/health
Feb 15 10:48:28  err tmm6[16269]: 01220001:3: TCL error: /Common/irule_auth-opin-dev_v2 <HTTP_REQUEST> - can't read "error_strign": no such variable while executing "HTTP::respond 403 content "<html>Invalid client certificate: ${error_strign}</html>""

Can you help?

Thank you!

  • Andreia's avatar
    Andreia
    Icon for Cirrus rankCirrus
    Feb 15, 2023

    Paulius,

    I fixed the ${error_strign} to ${error_string} and now I'm receving connection reset when I do a request to another URI that is not /auth. For /auth URI goes Ok!

    I'm sorry for a lot of answers it's because I'm reporting while I'm doing the tests.

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP
      Feb 15, 2023

      Andreia No worries at all. Is it working the way you would expect now? Sorry for the typing error on "error_string" but good job fixing that.

      • Andreia's avatar
        Andreia
        Icon for Cirrus rankCirrus
        Feb 15, 2023

        Hi, Paulius!

        Unfortunately not 😞
        Now I'm receiving "Connection Reset" on browser.
        I will try to do the opposite: do all the configuration on the SSL Client Profile works, and, when the request starts with /auth will disable the need to validate the client certificate.

        Wish me luck! LOL 

        Thanks a lot!