iRule for SSL certificate based on URL(path)

Question

Hello everyone, I need to know whether is it possible to switch to use a client SSL certificate or not for same virtual IP based on URL(path) and then load balance them to two different pools.
I read the following thread and the answer was NO, because URI is a layer 7.
However Apache can switch to use a client SSL certificate with configuring 
 detective. So, I think BIG-IP is possible to do this.&nbsp;

kevin_stewart · Answer

The answer is generally no from within an iRule. In order to see the URL for evaluation, you have to have already completed the SSL handshake. Can you elaborate on the Apache directive you're referring to? The Apache SSLRequire directive has the same limitation. You can enable/disable/switch SSL settings based on IP addresses (layer 4), and you can also force an SSL renegotiation (with client cert mutual authentication) based on some layer 7 URL path.&nbsp;

akagik_172959 · Answer

Thank you for prompt reply.&nbsp;
I saw an Apache QA page.(not English page.)
 The Apache settings are following.&nbsp;
 
 Options -Indexes FollowSymLinks MultiViews 
 AllowOverride All 
 SSLRequireSSL 
SSLVerifyClient require 
  
 Order deny,allow 
 Allow from all &nbsp;
 
 Options -Indexes FollowSymLinks MultiViews 
 AllowOverride All 
 SSLRequireSSL 
  
 Order deny,allow 
 Allow from all &nbsp;

kevin_stewart · Answer

The SSLVerifyClient require directive simply instructs mod_ssl to require a client certificate. In your description it is presumably being applied to a different site, which may be listening on a different IP or port.&nbsp;

akagik_172959 · Answer

I understand that Apache also cannot do this.
Many thanks.&nbsp;

xin_li_90490 · Answer

you can refer to this.
when CLIENT_ACCEPTED { 
set collected 0 
set protected 0 
} 
when HTTP_REQUEST { 
if { [HTTP::uri] contains "/2" } { 
    set protected 1 
    log local0. "Protected URI requested: [HTTP::uri]" 
    set collected 1 
    HTTP::collect 
    SSL::authenticate once 
    SSL::authenticate depth 9 
    SSL::cert mode request 
    SSL::renegotiate 
    } 
} 
when CLIENTSSL_CLIENTCERT { 
if { $collected eq 1 } { 
    log local0. "HTTP release" 
    HTTP::release } 
    if { $protected eq 1 } { 
        if { [SSL::cert count] &lt; 1 } { 
            log local0. "No Certificate Provided for Protected URI" 
            } 
            else {
            log local0. "Protected URI is accessed with client cert"
        }
    } 
}
when HTTP_REQUEST_SEND {
clientside {
    if { $protected eq 1 } {
        if { [SSL::cert count] &gt; 0} {
            HTTP::header insert X-Client-Cert [b64encode [X509::whole [SSL::cert 0]]]
    log local0. "cert=[X509::whole [SSL::cert 0]]"
        } else {
           HTTP::uri "/certError.html"
        }
    }
}
}

with a default configuration in client authentication area in client ssl profile, and using your default pool.

Forum Discussion

iRule for SSL certificate based on URL(path)

5 Replies

Recent Discussions

Changes to DO and AS3 GitHub - no longer monitored

How to Verify config before loading to F5

Logical Disk Full to Migrate rSeries

HSL - Local TimeZone - in syslog server

VIP control across data centers - how to ensure only 1 VIP is up at a time?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS