Forum Discussion
CirrusHow to read "Trusted Certificates Authorities" on an IRule ?
CirrusHello, JRahm.
First, thanks for replying. I really like your videos on F5 DevCentral! You rock!
And I'm sorry, I was wrong about what I wrote above: /auth DOES NOT authenticate the client's certificate, the other requests do validate the client's certificate.
Telling the WHOLE story, here we go:
TODAY the company I provide services for has the following scenario:
Internet -> Virtual Server with a Client SSL Profile with SSL Proxy-> Pool with NGINX servers that make a reverse proxy (so, this is where you have the application certificate) -> URL of the API service, incrementing BEFORE /auth something like /abc /xyz/auth
In this scenario you have the following rule on the reverse proxy (NGINX):
If URI starts with /auth, nginx does not validate client certificate; it just forwards the request to the API URL, incrementing the URI /abc/xyz/auth, for example.
Any other request, it validates the client's certificate. If the client's certificate is not in a file.crt (CA Bundle), the client receives a 403 response.
I want to do the EXACT SAME THING with BIG-IP. I want to remove the NGINX reverse proxy from the scenario.
The application's Virtual server already has the client's ssl profile with the settings for validating the certificates in the ca-bundle.
The problem is that I can't make an iRule like:
If URI starts with "/auth" then SSL::cert mode ignore, or something like that.
I made a rule with datagroup, that's why I'm asking about how to read the list in the Trusted Certificate Authorities via iRule, but it didn't help much because the iRule only accepts manipulating which Client SSL Profile will be used in the CLIENT_ACCEPT, but in this case, it doesn't handle URI.
Developers are complaining a lot about the browser pop-up asking to choose which client certificate to use, and this is configurable in the NGINX code, but I didn't find anything similar in the iRule to handle this.
And that's it. I'm sorry for "spreading" the same question in several different topics.
Thanks for your time!
Does this help?
It will do client cert auth by uri.
https://community.f5.com/t5/technical-articles/doing-mtls-authentication-per-url/ta-p/302979
- Andreia
Hi, RobE!
Thanks for replying!
I tried that iRule you posted. In fact everything that IS NOT "/auth" will have the client's certificate validated. If it is /auth it does not validate the client's certificate and increments /abc/xyz before /auth.
Tests reading a ca-bundle with valid certificates went OK. But when I read a ca-bundle with invalid certificates I get the "Connection Reset" error.Just to make it clear, I put the /auth conditional to VALIDATE the client certificate just for TEST, to be as identical as possible to your iRule:
when HTTP_REQUEST {
if { [HTTP::path] eq "/auth" } {
if { [SSL::cert count] > 0 } {
if { [SSL::verify_result ] == 0 } {
# Good mTLS result, exit from this check
return
} else {
set error_string [X509::verify_cert_error_string [SSL::verify_result]]
}
} else {
set error_string "No client certificate provided"
}
# If we are still executing this iRule, the client did not present a cert or did not present a valid cert
HTTP::respond 403 content "<html>Invalid client certificate: $error_string</html>"
}
}According to the above iRule, is it expected to receive "Connection Reset" when the request is made to /auth after choosing the certificate in the popup window?
(remembering that, for testing purposes, I am using an INVALID certificate)Hi,
Are you setting the Cleint Authenticaiton to "Request" on the clientSSL profile? I would have thought that unless the iRule was crashing (you can check the logs for that) you shouldn't get a connection reset.
