Forum Discussion
Lee_Sutcliffe
Nacreous
Nacreousirule to select SSL client cert based on HTTP header
I've wrote a simple irule that forwards requests to a relevent pool based on the contents of the HTTP header.
This works fine for HTTP requests however I'd like to ammend it so that in addition to forwarding to the correct pool, it also selects the correct SSL client profile.
This is the irule I have for the http requests
when HTTP_REQUEST {
if {[HTTP::header "host"] contains {abc}} {
pool abc-pool
}
else{pool xyz-pool}
}
Any help would be appreciated.
Thanks
L4L7_53191Nimbostratus
The trick here is that by the time you're able to get at the HTTP header information, your SSL session has already been established. As of now, I don't know of a good way to do this. How many ssl profiles are you looking to switch on?
-Matt
Lee_SutcliffeAt this stage only two profiles, although this may increase over time
hoolioCirrostratus
As Matt suggested, there isn't a way to select the client side SSL profile based on HTTP information with current browsers. See this post for some options:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=56508&ptarget=56509
Aaron- Lee_SutcliffeHmm.. that’s annoying!
Would it be possible to forward to request to another VIP using the same IP but on a different port?
All I'm trying to achieve is to reduce the number of public IP addresses we’re using.
Thanks
Lee - hoolioHi Lee,
It's a limitation of what's currently implemented in browsers for SSL that you need one IP per cert. You could use a separate port, but then clients and apps would need to reference the site with that port in the URL. You couldn't use an iRule to select that port until the iRule had decrypted the SSL to see which hostname had been requested.
Aaron