Forum Discussion

Karthik_Kumaran's avatar
Karthik_Kumaran
Icon for Nimbostratus rankNimbostratus
Mar 20, 2015

Insert Common Name Value to HTTP Header

We have a Virtual server that listens on 443, offloads-ssl and forwards connection to the server on 80. We want to insert the SSL certificate's Common-name in the http header, when the LTM send the ...
application delivery
deployment
devops
iRules
LTM
Karthik_Kumaran's avatar
Karthik_Kumaran
Icon for Nimbostratus rankNimbostratus

thanks for the responses Mike and Steve.

 

Steve, in your iRule, the "when CLIENTSSL_CLIENTCERT" condition, does it make the header changes required during the LTM-to-backendPoolServer communication? In my case Client hits Virtual Server on 443, LTM does ssl-offload and transfers connection to backendPoolServer on 80. I want the CN insertion in the header while the LTM sends connection to backendPoolServer on 80.

 

StephanManthey's avatar
StephanManthey
Icon for MVP rankMVP
Mar 26, 2015
Hi Karthik, yes, that´s exactly the expected behavior. In context of CLIENTSSL_CLIENTCERT the CN will be retrieved from the certificate send by the client and be stored in a variable. After the client has send an http request over the established connection the HTTP_REQUEST event will be fired and the header named "ClientCertSubjectCn" will be inserted with the value of the CN. Feel free to give another name to the header. I just picked this name as I do not know exactly the header name the ACE will use. After looking up the Cisco doc it looks like the header name is "ClientCert-Subject-CN". That´s why the relevant line would be changed into: HTTP::header insert ClientCert-Subject-CN "$ssl_clientcert_subject_cn" Thanks, Stephan PS: For testing proper client auth configuration in your client-ssl profile you may want to use the posted iRule (2nd one for SSL) in the following thread: https://devcentral.f5.com/questions/irule-to-emulate-web-server-in-lab-environment-plaintext-version-nossl