Forum Discussion
Karthik_Kumaran
Nimbostratus
NimbostratusInsert Common Name Value to HTTP Header
We have a Virtual server that listens on 443, offloads-ssl and forwards connection to the server on 80.
We want to insert the SSL certificate's Common-name in the http header, when the LTM send the ...
Karthik_KumaranNimbostratus
Nimbostratusthanks for the responses Mike and Steve.
Steve, in your iRule, the "when CLIENTSSL_CLIENTCERT" condition, does it make the header changes required during the LTM-to-backendPoolServer communication? In my case Client hits Virtual Server on 443, LTM does ssl-offload and transfers connection to backendPoolServer on 80. I want the CN insertion in the header while the LTM sends connection to backendPoolServer on 80.
StephanManthey
Nacreous
NacreousHi Karthik,
yes, that´s exactly the expected behavior.
In context of CLIENTSSL_CLIENTCERT the CN will be retrieved from the certificate send by the client and be stored in a variable.
After the client has send an http request over the established connection the HTTP_REQUEST event will be fired and the header named "ClientCertSubjectCn" will be inserted with the value of the CN.
Feel free to give another name to the header. I just picked this name as I do not know exactly the header name the ACE will use. After looking up the Cisco doc it looks like the header name is "ClientCert-Subject-CN".
That´s why the relevant line would be changed into:
HTTP::header insert ClientCert-Subject-CN "$ssl_clientcert_subject_cn"
Thanks, Stephan
PS: For testing proper client auth configuration in your client-ssl profile you may want to use the posted iRule (2nd one for SSL) in the following thread:
https://devcentral.f5.com/questions/irule-to-emulate-web-server-in-lab-environment-plaintext-version-nossl
