Forum Discussion
Mr_Moody
Oct 30, 2020Nimbostratus
Help with IRule Client Auth Certs
I have an IRule below that I'm working on. My intent is to enforce client certificate authentication on two URI's only and if any client certificate errors should result in a redirect to a custom er...
- Nov 01, 2020
Your HTTP::respond 302 is in the else clause of your second if statement.
It is never reached.
when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} { # This path has no client-authentication return } else { # perform client-authentication if the uri matches if { ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} { SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require set cmd "SSL::profile /Common/require_clientssl" eval $cmd SSL::renegotiate } else { # we cannot execute this path because of the first *if* statement if {[SSL::verify_result] == 0 }{ return } else { HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache } } } }
Try something like
when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} { # we don't need to renegotiate with client-authentication return } else { # we do need to renegotiate with client-authentication SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require set cmd "SSL::profile /Common/require_clientssl" eval $cmd SSL::renegotiate # check if renegotiation with client-auth succeeded if {[SSL::verify_result] == 0 }{ return } else { HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache } } }
but I haven't tested this to check ...
Simon_Blakely
Nov 01, 2020Employee
Your HTTP::respond 302 is in the else clause of your second if statement.
It is never reached.
when HTTP_REQUEST {
if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
# This path has no client-authentication
return
} else {
# perform client-authentication if the uri matches
if { ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
set cmd "SSL::profile /Common/require_clientssl"
eval $cmd
SSL::renegotiate
} else {
# we cannot execute this path because of the first *if* statement
if {[SSL::verify_result] == 0 }{
return
} else {
HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache
}
}
}
}
Try something like
when HTTP_REQUEST {
if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
# we don't need to renegotiate with client-authentication
return
} else {
# we do need to renegotiate with client-authentication
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
set cmd "SSL::profile /Common/require_clientssl"
eval $cmd
SSL::renegotiate
# check if renegotiation with client-auth succeeded
if {[SSL::verify_result] == 0 }{
return
} else {
HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache
}
}
}
but I haven't tested this to check ...
- Mr_MoodyNov 02, 2020Nimbostratus
Thank you that was it! I also had to change the cert mode to 'request'.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects