Forum Discussion
Miguel_111028
Nimbostratus
Oct 23, 2008Inserting SSL client certificate into the header of the HTTP session
Hello group,
I do not have much experience in creating iRules and I need to set an iRule to an https virtual server type with client certificate authentication. The iRule should do the following:
1 .- Insert the entire client certificate (in PEM format) as a Multiline HTTP header named X-Client-Cert into the incoming HTTP request and send this header to the backend server.
2 .- Insert the original ip address of the client into a HTTP header named X-Forwarder-For and send this header to the backend server. I need this because I must use auto map SNAT Pool feature in the implied virtual servers.
It is possible to do all this in only one iRule?
Thanks you.
Miguel Angel.
16 Replies
- Nath
Cirrostratus
Hi Nitass,
We're stuck w/ the same issue here. We have a redirection from http -> https://abc.com:/uri/loginpage
But after we login, the https traffic became http does f5 encountered this kind of scenario before?
Thanks,
-Nat
- Miguel_111028
Nimbostratus
Hello,when CLIENTSSL_HANDSHAKE { set cur [SSL::sessionid] set ask [session lookup ssl $cur] if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] } } when HTTP_REQUEST { set id [SSL::sessionid] set the_cert [session lookup ssl $id] if { $the_cert != ""} { HTTP::header insert X-Client-Cert [X509::whole $the_cert] } }
- hoolio
Cirrostratus
There is a codeshare example which should work to insert the cert in a header:when CLIENTSSL_CLIENTCERT { set time to maintain session data (in seconds) set session_timeout 7200 set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] set ssl_stuff [list $ssl_cert $ssl_errstr] session add ssl [SSL::sessionid] $ssl_stuff $session_timeout } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2] } else { send HTTP 302 redirect to an error page HTTP::redirect "http://192.168.0.64/error.html" } }
- Miguel_111028
Nimbostratus
Thanks you Aaron,when CLIENTSSL_CLIENTCERT { set cur [SSL::sessionid] set ask [session lookup ssl $cur] if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] } } when HTTP_REQUEST { set id [SSL::sessionid] set the_cert [session lookup ssl $id] if { $the_cert != ""} { HTTP::header insert x-client-cert [X509::whole $the_cert] } }
- hoolio
Cirrostratus
Hi Miguel,when HTTP_RESPONSE { if {[HTTP::is_redirect]}{ Rewrite the Location header from http to https HTTP::header replace Location [string map -nocase {http:// https://} [HTTP::header value Location]] } }
- hoolio
Cirrostratus
Sorry for that. This is a very annoying bug noted in SOL7988 (Click here).when HTTP_RESPONSE { if {[HTTP::is_redirect]}{ Rewrite the Location header from http to https HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]] } }
- Miguel_111028
Nimbostratus
Thank You Aaron, - orangepeelbeef_
Nimbostratus
nevermind, my view didn't include the resolution for some reason...... - jeff_estes_4238
Altostratus
I was wondering if inserting the client cert into the header does away with the need for a server ssl profile, or does the VS still need to establish the ssl session with the backend server using it's cert first? - hoolio
Cirrostratus
Hi Jeffrey, - jeff_estes_4238
Altostratus
Thanks Aaron,
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects