Forum Discussion
Miguel_111028
Nimbostratus
NimbostratusInserting SSL client certificate into the header of the HTTP session
Hello group,
I do not have much experience in creating iRules and I need to set an iRule to an https virtual server type with client certificate authentication. The iRule should do the following:
1 .- Insert the entire client certificate (in PEM format) as a Multiline HTTP header named X-Client-Cert into the incoming HTTP request and send this header to the backend server.
2 .- Insert the original ip address of the client into a HTTP header named X-Forwarder-For and send this header to the backend server. I need this because I must use auto map SNAT Pool feature in the implied virtual servers.
It is possible to do all this in only one iRule?
Thanks you.
Miguel Angel.
16 Replies
Miguel_111028Hello,
Thanks you, Stefan, for the reply, this solve the X-Forwarded-For issue.
For the X-Client-Cert header insertion problem, I think the following iRule can make what I need, Please, can anyone confirm?when CLIENTSSL_HANDSHAKE { set cur [SSL::sessionid] set ask [session lookup ssl $cur] if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] } } when HTTP_REQUEST { set id [SSL::sessionid] set the_cert [session lookup ssl $id] if { $the_cert != ""} { HTTP::header insert X-Client-Cert [X509::whole $the_cert] } }
Thanks you and regards.
Miguel.
hoolioCirrostratus
There is a codeshare example which should work to insert the cert in a header:
http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.htmlwhen CLIENTSSL_CLIENTCERT { set time to maintain session data (in seconds) set session_timeout 7200 set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] set ssl_stuff [list $ssl_cert $ssl_errstr] session add ssl [SSL::sessionid] $ssl_stuff $session_timeout } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2] } else { send HTTP 302 redirect to an error page HTTP::redirect "http://192.168.0.64/error.html" } }
You could enable the checkbox on the HTTP profile for X-Forwarded-For to insert this header. Or you could add it to the above rule:
HTTP::header insert X-Forwarded-For [IP::client_addr]
Aaron- Miguel_111028Thanks you Aaron,
I have try your suggestion, but in the end I opted for the following iRule:when CLIENTSSL_CLIENTCERT { set cur [SSL::sessionid] set ask [session lookup ssl $cur] if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] } } when HTTP_REQUEST { set id [SSL::sessionid] set the_cert [session lookup ssl $id] if { $the_cert != ""} { HTTP::header insert x-client-cert [X509::whole $the_cert] } }
This iRule seems to work, but only when the ssl Client authentication profile is set to request. I need to use this iRule when the client authentication profile is set to require.
I think I’m forgetting something in the iRule sintaxis. When I set the ssl client profile to require cert authentication, the bigip break the ssl tunnel and don’t send anything to the backend server. It could be a bug? or am I need to add something to the syntax of the iRule when I want to use certificate authentication in required.?
Any suggestions?
We also need to create an iRule (or add this functionality to same iRule) to rewrite the protocol of the "Location" header that the user's browser send, that is, if the bigip see the following header:
“Location: http://anything” should rewrite it to “Location:https://anything/”.
I’m in version 9.4.5 build 1049.10 Final
Thanks you in advance.
Miguel Angel. - hoolioHi Miguel,
Do you see a TCL error in /var/log/ltm when the client SSL profile is set to require? Is the client sending a cert? I haven't done much with client certs and iRules, but that's the first thing I'd check. Maybe someone else could weigh in on this?
For the Location header rewrite, you could either enable rewriting of redirects on the HTTP profile or you could use an iRule:when HTTP_RESPONSE { if {[HTTP::is_redirect]}{ Rewrite the Location header from http to https HTTP::header replace Location [string map -nocase {http:// https://} [HTTP::header value Location]] } }
Aaron - hoolioSorry for that. This is a very annoying bug noted in SOL7988 (Click here).
You can use this instead to work around the bug:when HTTP_RESPONSE { if {[HTTP::is_redirect]}{ Rewrite the Location header from http to https HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]] } }
Aaron - Miguel_111028Thank You Aaron,
Now the configSync is working perfectly.
Miguel. 
orangepeelbeef_nevermind, my view didn't include the resolution for some reason......- jeff_estes_4238
Altostratus
I was wondering if inserting the client cert into the header does away with the need for a server ssl profile, or does the VS still need to establish the ssl session with the backend server using it's cert first?
Any thoughts on this would be
Thanks - hoolioHi Jeffrey,
That is up to the web server configuration. If the server requires a client certificate, LTM can be configured with a server SSL certificate to authenticate LTM itself to the web server. You would want to configure LTM to insert the client cert details in LTM's request to the server so the server can authenticate/authorize that client's request. LTM cannot spoof the client's cert in LTM's request to the web server.
Aaron - jeff_estes_4238Thanks Aaron,
I was wondering about that as the backend server does require ssl. I do have both a client and server ssl profile on the VS (using http profile for compression and ram cache); however the backend server logs seem to show only the VS ip and cert. I'll implement the irule and configure the http profile for X-Forwaded-For.
Jeff
