For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mr_Moody's avatar
Mr_Moody
Icon for Nimbostratus rankNimbostratus
Sep 22, 2020

Help with irule for bypassing client authentication certificates by IP

Hello, I'm looking for help with an irule that will bypass the client authentication certificate for a group of ip addresses. Currently we have the client cert auth working with a client ssl profile...
iRules
LTM
security
Mr_Moody's avatar
Mr_Moody
Icon for Nimbostratus rankNimbostratus
Oct 16, 2020

Thank you for the response. Your answer helped me end up with the below. The key was that the ssl profile assigned to the VS had to be set to ignore.

when HTTP_REQUEST {

  if {[HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {

   if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST]} {

    SSL::session invalidate

    SSL::authenticate always

    SSL::authenticate depth 9

    SSL::cert mode require

    set cmd "SSL::profile /Common/require_clientssl"

    eval $cmd

    SSL::renegotiate

    event disable all

  }

}

}