Forum Discussion
iRule to require SSL Client Certs for a URI
Working on developing a Rule based on the SSL Client Cert for URI in Docs and Tips. We first tried the rule verbatim with the exception of changing the URI to match what they wanted to protect. This...
James_Yang_9981
Altostratus
AltostratusAt Last, I got the rules below that can working.
when CLIENTSSL_HANDSHAKE {
log LOCAL0.warn "cert count=[SSL::cert count]"
if { [SSL::cert count] ==0 } {
log LOCAL0.warn "when client handshake,ssl cert count is 0,pass"
}
else {
log LOCAL0.warn "when clent handshake , two way cert founded and the cert count is [SSL::cert count] "
HTTP::release
}
}
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/manual/" } {
log "Requiring certificate...and tht request uri is :[HTTP::uri]"
if {[SSL::cert count] == 0} {
log local0. "when http request,ssl cert count is 0,now http collect"
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
log local0. "when http request,now renegotiating"
SSL::renegotiate
}
}
else {
log LOCAL0.warn "No cert needed,to server directly.And the uri is [HTTP::uri]"
}
}You can start it from Client_ssl profile with cert mode ignore. then when user access /manual/, he will prompt a window to apply certificate.
for certificate advertise and CRL, it can only edit bigip.conf file manually. And remember never modify any thing from the GUI with the client ssl profile again........
In my environment, It can works on BIGIP v9.1.2, but can't runing on beta BIGIP 9.4.0. so disapointing.......
Any one can help!!!!
