Forum Discussion
Here's something to get started...this will pick up the client cert if present, and expects in the static variables for you to set a validation string to compare to what's received dynamically from clients. It also expects you to set the client certificate field to request instead of the default ignore in the client-ssl profile. Once that's done, you can set the mode to require in the /auth URI requests and then do your other actions (not included)
when RULE_INIT {
set static::sdn_validator "subject_validation_string"
set static::idn_validator "issuer_validation_string"
}
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert 0] != "" } {
set subject_dn [X509::subject [SSL::cert 0]]
set issuer_dn [X509::issuer [SSL::cert 0]]
if { ($subject_dn contains $static::sdn_validator) and ($issuer_dn contains $static::idn_validator) } {
set client_cert_validated 1
}
}
}
when HTTP_REQUEST {
if { [HTTP::uri] == "/auth" }
# make sure in your client-ssl profile you set the client certificate field to "request", default is ignore
SSL::cert mode require
if { [info exists client_cert_validated] } {
# Certificate was present AND validated...do stuff here
}
}
Noticed there are other requests of similar nature from you elsewhere, we might want to summarize the ask in a single thread to keep it all straight so we're not solving issues in one that creates issues in others.
- AndreiaMar 01, 2023Cirrus
Hello, JRahm.
First, thanks for replying. I really like your videos on F5 DevCentral! You rock!
And I'm sorry, I was wrong about what I wrote above: /auth DOES NOT authenticate the client's certificate, the other requests do validate the client's certificate.
Telling the WHOLE story, here we go:
TODAY the company I provide services for has the following scenario:
Internet -> Virtual Server with a Client SSL Profile with SSL Proxy-> Pool with NGINX servers that make a reverse proxy (so, this is where you have the application certificate) -> URL of the API service, incrementing BEFORE /auth something like /abc /xyz/authIn this scenario you have the following rule on the reverse proxy (NGINX):
If URI starts with /auth, nginx does not validate client certificate; it just forwards the request to the API URL, incrementing the URI /abc/xyz/auth, for example.
Any other request, it validates the client's certificate. If the client's certificate is not in a file.crt (CA Bundle), the client receives a 403 response.I want to do the EXACT SAME THING with BIG-IP. I want to remove the NGINX reverse proxy from the scenario.
The application's Virtual server already has the client's ssl profile with the settings for validating the certificates in the ca-bundle.
The problem is that I can't make an iRule like:
If URI starts with "/auth" then SSL::cert mode ignore, or something like that.
I made a rule with datagroup, that's why I'm asking about how to read the list in the Trusted Certificate Authorities via iRule, but it didn't help much because the iRule only accepts manipulating which Client SSL Profile will be used in the CLIENT_ACCEPT, but in this case, it doesn't handle URI.Developers are complaining a lot about the browser pop-up asking to choose which client certificate to use, and this is configurable in the NGINX code, but I didn't find anything similar in the iRule to handle this.
And that's it. I'm sorry for "spreading" the same question in several different topics.
Thanks for your time!
- Robert_HaynesMar 02, 2023Ret. Employee
Does this help?
It will do client cert auth by uri.
https://community.f5.com/t5/technical-articles/doing-mtls-authentication-per-url/ta-p/302979
- AndreiaMar 03, 2023Cirrus
Hi, RobE!
Thanks for replying!
I tried that iRule you posted. In fact everything that IS NOT "/auth" will have the client's certificate validated. If it is /auth it does not validate the client's certificate and increments /abc/xyz before /auth.
Tests reading a ca-bundle with valid certificates went OK. But when I read a ca-bundle with invalid certificates I get the "Connection Reset" error.Just to make it clear, I put the /auth conditional to VALIDATE the client certificate just for TEST, to be as identical as possible to your iRule:
when HTTP_REQUEST {
if { [HTTP::path] eq "/auth" } {
if { [SSL::cert count] > 0 } {
if { [SSL::verify_result ] == 0 } {
# Good mTLS result, exit from this check
return
} else {
set error_string [X509::verify_cert_error_string [SSL::verify_result]]
}
} else {
set error_string "No client certificate provided"
}
# If we are still executing this iRule, the client did not present a cert or did not present a valid cert
HTTP::respond 403 content "<html>Invalid client certificate: $error_string</html>"
}
}According to the above iRule, is it expected to receive "Connection Reset" when the request is made to /auth after choosing the certificate in the popup window?
(remembering that, for testing purposes, I am using an INVALID certificate)