Forum Discussion
Miguel_111028
Nimbostratus
Oct 23, 2008Inserting SSL client certificate into the header of the HTTP session
Hello group,
I do not have much experience in creating iRules and I need to set an iRule to an https virtual server type with client certificate authentication. The iRule should do the following:
1 .- Insert the entire client certificate (in PEM format) as a Multiline HTTP header named X-Client-Cert into the incoming HTTP request and send this header to the backend server.
2 .- Insert the original ip address of the client into a HTTP header named X-Forwarder-For and send this header to the backend server. I need this because I must use auto map SNAT Pool feature in the implied virtual servers.
It is possible to do all this in only one iRule?
Thanks you.
Miguel Angel.
16 Replies
Sort By
- Miguel_111028
Nimbostratus
Hello,when CLIENTSSL_HANDSHAKE { set cur [SSL::sessionid] set ask [session lookup ssl $cur] if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] } } when HTTP_REQUEST { set id [SSL::sessionid] set the_cert [session lookup ssl $id] if { $the_cert != ""} { HTTP::header insert X-Client-Cert [X509::whole $the_cert] } }
- hoolio
Cirrostratus
There is a codeshare example which should work to insert the cert in a header:when CLIENTSSL_CLIENTCERT { set time to maintain session data (in seconds) set session_timeout 7200 set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] set ssl_stuff [list $ssl_cert $ssl_errstr] session add ssl [SSL::sessionid] $ssl_stuff $session_timeout } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2] } else { send HTTP 302 redirect to an error page HTTP::redirect "http://192.168.0.64/error.html" } }
- Miguel_111028
Nimbostratus
Thanks you Aaron,when CLIENTSSL_CLIENTCERT { set cur [SSL::sessionid] set ask [session lookup ssl $cur] if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] } } when HTTP_REQUEST { set id [SSL::sessionid] set the_cert [session lookup ssl $id] if { $the_cert != ""} { HTTP::header insert x-client-cert [X509::whole $the_cert] } }
- hoolio
Cirrostratus
Hi Miguel,when HTTP_RESPONSE { if {[HTTP::is_redirect]}{ Rewrite the Location header from http to https HTTP::header replace Location [string map -nocase {http:// https://} [HTTP::header value Location]] } }
- hoolio
Cirrostratus
Sorry for that. This is a very annoying bug noted in SOL7988 (Click here).when HTTP_RESPONSE { if {[HTTP::is_redirect]}{ Rewrite the Location header from http to https HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]] } }
- Miguel_111028
Nimbostratus
Thank You Aaron, - orangepeelbeef_
Nimbostratus
nevermind, my view didn't include the resolution for some reason...... - jeff_estes_4238
Altostratus
I was wondering if inserting the client cert into the header does away with the need for a server ssl profile, or does the VS still need to establish the ssl session with the backend server using it's cert first? - hoolio
Cirrostratus
Hi Jeffrey, - jeff_estes_4238
Altostratus
Thanks Aaron,
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects