For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

akagik_172959's avatar
akagik_172959
Icon for Nimbostratus rankNimbostratus
Oct 07, 2014

iRule for SSL certificate based on URL(path)

Hello everyone, I need to know whether is it possible to switch to use a client SSL certificate or not for same virtual IP based on URL(path) and then load balance them to two different pools. I read the following thread and the answer was NO, because URI is a layer 7. However Apache can switch to use a client SSL certificate with configuring detective. So, I think BIG-IP is possible to do this.

 

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 07, 2014

    The answer is generally no from within an iRule. In order to see the URL for evaluation, you have to have already completed the SSL handshake. Can you elaborate on the Apache directive you're referring to? The Apache SSLRequire directive has the same limitation. You can enable/disable/switch SSL settings based on IP addresses (layer 4), and you can also force an SSL renegotiation (with client cert mutual authentication) based on some layer 7 URL path.

     

  • akagik_172959's avatar
    akagik_172959
    Icon for Nimbostratus rankNimbostratus
    Oct 07, 2014

    Thank you for prompt reply.

     

    I saw an Apache QA page.(not English page.) The Apache settings are following.

     

    Options -Indexes FollowSymLinks MultiViews AllowOverride All SSLRequireSSL SSLVerifyClient require Order deny,allow Allow from all

     

    Options -Indexes FollowSymLinks MultiViews AllowOverride All SSLRequireSSL Order deny,allow Allow from all

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 07, 2014

    The SSLVerifyClient require directive simply instructs mod_ssl to require a client certificate. In your description it is presumably being applied to a different site, which may be listening on a different IP or port.

     

  • xin_li_90490's avatar
    xin_li_90490
    Icon for Nimbostratus rankNimbostratus
    May 24, 2017

    you can refer to this.

    when CLIENT_ACCEPTED { 
set collected 0 
set protected 0 
} 
when HTTP_REQUEST { 
if { [HTTP::uri] contains "/2" } { 
    set protected 1 
    log local0. "Protected URI requested: [HTTP::uri]" 
    set collected 1 
    HTTP::collect 
    SSL::authenticate once 
    SSL::authenticate depth 9 
    SSL::cert mode request 
    SSL::renegotiate 
    } 
} 
when CLIENTSSL_CLIENTCERT { 
if { $collected eq 1 } { 
    log local0. "HTTP release" 
    HTTP::release } 
    if { $protected eq 1 } { 
        if { [SSL::cert count] < 1 } { 
            log local0. "No Certificate Provided for Protected URI" 
            } 
            else {
            log local0. "Protected URI is accessed with client cert"
        }
    } 
}
when HTTP_REQUEST_SEND {
clientside {
    if { $protected eq 1 } {
        if { [SSL::cert count] > 0} {
            HTTP::header insert X-Client-Cert [b64encode [X509::whole [SSL::cert 0]]]
    log local0. "cert=[X509::whole [SSL::cert 0]]"
        } else {
           HTTP::uri "/certError.html"
        }
    }
}
}

    with a default configuration in client authentication area in client ssl profile, and using your default pool.