Forum Discussion

AwesomeNetwork1's avatar
AwesomeNetwork1
Icon for Nimbostratus rankNimbostratus
Oct 03, 2017

How do I modify header fields on additional sockets?

I added an iRule to capture the x509 CN name form a CAC and insert it in the header (see below)-

 

when CLIENTSSL_CLIENTCERT { set debug 0 if {[SSL::cert 0] eq ""}{ reject } else { set ssl_cert [SSL::cert 0]

 

set subject [X509::subject [SSL::cert 0]]} array set subject_fields [split $subject ",="] }

 

when HTTP_REQUEST { if {[info exists subject_fields(CN)]} { HTTP::header insert es-security-runas-user $subject_fields(CN) log local0. "[HTTP::request]" } }

 

my customer still has an issue with this working and did a packet capture and discovered that the headers that are added by the iRule are only being added to the first TCP socket pair for the session. If more socket pairs are opened for the session, then the header is not added to those packets. This is causing the server to end the user's session and return them to the login screen.

 

can someone recommend a way to inset the header data (the CN from the CAC) to the headers of additional socket is the users session?

 

Thanks.

 

application delivery
iRules
LTM

3 Replies

  • AwesomeNetwork1's avatar
    AwesomeNetwork1
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2017

    The article that you listed is not helpful. there is one pool member and load balancing is not going on.

     

  • DevBabu's avatar
    DevBabu
    Icon for Cirrus rankCirrus
    Oct 10, 2017

    CLIENTSSL_CLIENTCERT is triggered when BIG-IP receives certificate message from the client. I think it happens at the time of new SSL handshake process.

     

    You can use a session table to store the client cert / subject field using client IP address as key. Later in the HTTP request when you see the client IP retrieve the value from the table and insert it in the header.

     

    Check this out if it helps https://devcentral.f5.com/articles/irules-101-12-the-session-command