Forum Discussion

Mr_Moody's avatar
Mr_Moody
Icon for Nimbostratus rankNimbostratus
Sep 22, 2020

Help with irule for bypassing client authentication certificates by IP

Hello, I'm looking for help with an irule that will bypass the client authentication certificate for a group of ip addresses. Currently we have the client cert auth working with a client ssl profile in LTM set to require client authentication. We would like to allow certain IP addresses access to the site without client certificates.

I assume that I would need to change the ssl profile to 'request' client auth and create an irule to handle things from there. I think the logic should be something to the affect:

if ip is in data group list of IP addresses->allow access without cert

request client certificate->if valid cert presented->allow access

If no cert and not on list->deny access

 

Any help would be appreciated.

 

iRules
LTM
security
  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Sep 23, 2020

    Hi

     

    You could create a second SSL profile that doesn't require client auth and then use this profile for specific IPs. There's an example here on clouddocs

  • Mr_Moody's avatar
    Mr_Moody
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2020

    Thank you for the response. Your answer helped me end up with the below. The key was that the ssl profile assigned to the VS had to be set to ignore.

    when HTTP_REQUEST {

      if {[HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {

       if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST]} {

        SSL::session invalidate

        SSL::authenticate always

        SSL::authenticate depth 9

        SSL::cert mode require

        set cmd "SSL::profile /Common/require_clientssl"

        eval $cmd

        SSL::renegotiate

        event disable all

      }

    }

    }