Forum Discussion
NimbostratusiRule config to Rewrite SSL Header for Transactions
NimbostratusThat didn't come out good. Here is the full test of the irule. Which lines would I remove?
URI Modify with Client Cert Header insertwhen CLIENT_ACCEPTED { set default_pool [LB::server pool] }
when CLIENTSSL_CLIENTCERT {
Check if client presented at least one cert if {[SSL::cert count] > 0}{
Insert the following fields in the session table with a timeout of 7200 seconds:
Do the processing now as opposed to in HTTP_REQUEST as there
can be many HTTP requests using the same SSL session ID
Index - item
1 - serial number of the cert
2 - issuer of the cert
3 - subject of the cert
session add ssl [SSL::sessionid] [list \
[SSL::verify_result] \
[X509::serial_number [SSL::cert 0]] \
[X509::issuer [SSL::cert 0]] \
[X509::subject [SSL::cert 0]] \
] 7200
log local0. "[IP::client_addr]:[TCP::client_port]: Added session data for cert. Status:\
[X509::verify_cert_error_string [lindex [session lookup ssl [SSL::sessionid]] 0]] with key [SSL::sessionid]"
} }
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/markets/VirtualTransactionProducingService" } { discard } elseif { [HTTP::uri] starts_with "/settlements/BilateralScheduleService/v1/BilateralScheduleService" } { HTTP::uri "/BilateralSchedulesCore/BilateralSchedulesService/BilateralPortImpl[string range [HTTP::uri] 65 end]" pool POOL-ITE-DMZ-8080-api.itespp.org-Bilateral } elseif { [HTTP::uri] starts_with "/settlements/MeterDataService/v1/MeterDataService" } { HTTP::uri "/MeterDataCore/MeterDataService/MeterDataPortImpl[string range [HTTP::uri] 49 end]" pool POOL-ITE-DMZ-8080-api.itespp.org-MeterData } elseif { [HTTP::uri] starts_with "/settlements/SettlementReportService/v1/SettlementReportService" } { HTTP::uri "/webservices/SettlementReportsService/SettlementReportsPortImpl[string range [HTTP::uri] 63 end]" pool POOL-ITE-DMZ-8080-api.itespp.org-Settlement } elseif { [HTTP::uri] starts_with "/settlements/SettlementReportService/v1/SettlementReportInternalService" } { HTTP::uri "/webservices/SettlementReportsService/SettlementReportsInternalPortImpl[string range [HTTP::uri] 70 end]" pool POOL-ITE-DMZ-8080-api.itespp.org-Settlement } elseif { [HTTP::uri] starts_with "/notifications/NotificationService/v1/NotificationSyncService" } { HTTP::uri "/NotificationEjb/NotificationSyncService/NotificationSyncService[string range [HTTP::uri] 61 end]" pool POOL-ITE-DMZ-8443-api.itespp.org-Notification } elseif { [HTTP::uri] starts_with "/markets/MarketStatusProducingService" } { HTTP::uri "/extif[string range [HTTP::uri] 8 end]" pool POOL-ITE-DMZ-8443-api.itespp.org-extif } elseif { [HTTP::uri] starts_with "/markets/MarketClearedTransactionsProducingService" } { HTTP::uri "/extif[string range [HTTP::uri] 8 end]" pool POOL-ITE-DMZ-8443-api.itespp.org-extif } elseif { [HTTP::uri] starts_with "/markets/TotalTLRReliefConsumingService" } { HTTP::uri "/extif[string range [HTTP::uri] 8 end]" pool POOL-ITE-DMZ-8443-api.itespp.org-extif } elseif { [HTTP::uri] starts_with "/markets/ReserveEventConsumingService" } { HTTP::uri "/extif[string range [HTTP::uri] 8 end]" pool POOL-ITE-DMZ-8443-api.itespp.org-extif } elseif { [HTTP::uri] starts_with "/markets/ReserveObligationConsumingService" } { HTTP::uri "/extif[string range [HTTP::uri] 8 end]" pool POOL-ITE-DMZ-8443-api.itespp.org-extif } elseif { [HTTP::uri] starts_with "/markets/CurtailedWindResourcesProducingService" } { HTTP::uri "/extif[string range [HTTP::uri] 8 end]" pool POOL-ITE-DMZ-8443-api.itespp.org-extif } elseif { [HTTP::uri] starts_with "/markets/MarketTransactionConsumingService" } { pool POOL-ITE-DMZ-8419-api.itespp.org } elseif { [HTTP::uri] starts_with "/markets/IntervalNSIConsumingService" } { pool POOL-ITE-DMZ-8420-api.itespp.org } elseif { [HTTP::uri] starts_with "/markets/InterfaceNSIConsumingService" } { pool POOL-ITE-DMZ-8424-api.itespp.org } elseif { [HTTP::uri] starts_with "/markets/HourlyInadvertentConsumingService" } { pool POOL-ITE-DMZ-8425-api.itespp.org } elseif { [HTTP::uri] starts_with "/markets/WindResourceForecastConsumingService" } { pool POOL-ITE-DMZ-8427-api.itespp.org } elseif { [HTTP::uri] starts_with "/markets/TielineMeterProducingService" } { pool POOL-ITE-DMZ-8428-api.itespp.org } elseif { [HTTP::uri] starts_with "/markets/WindResourceTelemetryProducingService" } { pool POOL-ITE-DMZ-8429-api.itespp.org } elseif { [HTTP::uri] starts_with "/markets" } { pool POOL-ITE-DMZ-8443-api.itespp.org }
Remove x-headers from the request to remove injection attacks foreach header_name [HTTP::header names] {
if {[string match -nocase x-* $header_name]}{
HTTP::header remove $header_name
}
}
Add the address of the original client to the headers HTTP::header insert X-Forwarded-For [IP::remote_addr]
Check if SSL session ID is in the cache (SSL::sessionid returns 64 zeroes if it's not in v9 and a null string in v10) if {[SSL::sessionid] ne "0000000000000000000000000000000000000000000000000000000000000000" && [SSL::sessionid] ne ""}{
Get the session table entry (a TCL list) for this session ID
set session_data [session lookup ssl [SSL::sessionid]]
Check if the first element of the session table entry for this session ID is 0 (status for successful cert validation)
if {[lindex $session_data 0] == 0}{
log local0. "[IP::client_addr]:[TCP::client_port]: Valid cert per session table entry. Inserting cert details in HTTP headers."
Remove colons and dashes in the certificate serial number
regsub -all : [lindex $session_data 1] "" CERT_SerialNumber
Insert cert details in the HTTP headers
HTTP::header insert X-SPP-CERT-SerialNumber [ string toupper $CERT_SerialNumber ]
HTTP::header insert X-SPP-CERT-IssuerDN [lindex $session_data 2]
HTTP::header insert X-SPP-CERT-SubjectDN [lindex $session_data 3]
Exit this event in this rule
return
}
} If we're still in this rule, cert wasn't valid so send HTTP 302 redirect to an error page HTTP::respond 302 Location "http://[HTTP::host]/cert_error.html"
log local0. "[IP::client_addr]:[TCP::client_port]: No or invalid cert from client." }
