Forum Discussion
Justin_18188
Nimbostratus
NimbostratusiRule variable problems
I have an iRule that captures the SSL client DN and places it in a variable to be passed to an application. 98% of the time, there is no problem. But 2% of the time, user's CN get crossed. One person will have a different person's CN on their page. Any ideas? Is this most likely a caching issue where a user views a page and it gets cached, and someone else views the same page and see the other person's cached version?
Nicolas_MenantEmployee
Are you using oneconnect or fastHTTP profile with this iRule ?- Justin_18188No, we are using a TCP profile with a few settings changed. I'll put it all out there though:
Reset on Timeout - enabled
Time Wait Recycle - enabled
Delayed ACKs - enabled
Proxy Maximum Segment - not checked
Proxy Options - not checked
Proxy Buffer Low - 98304 bytes
Proxy Buffer High - 131072 bytes
Idle Timeout - 300 seconds
Time Wait - 120000 seconds
Fin Wait - 5 seconds
Close Wait - 5 seconds
Send Buffer - 65535 bytes
Recieve Window - 65535 bytes
Keep Alive Intreval - 1800 seconds
Max Syn Retransmissions - 3
Max Segment Retransmissions - 8
IP ToS - 0
Link QoS - 0
Selective ACKs - Enabled
Extended Congestion Notification - not checked
Extensions for High Performance - enabled
Limited Transmit Recovery - enabled
Slow Start - not checked
Deferred Accept - not checked
Bandwidth Delay - not checked
Nagle's Algorithm - not checked
Acknowledge on Push - enabled
MD5 Signature - not checked
MD5 passphrase -
Congestion Control - New Reno
Congestion Metrics Cache - enabled
Appropriate Byte Counting - enabled
D-SACK - not checked
This is in use with a BEA application and was configured by some people that never worked with anything F5 before. - Nicolas_MenantCan you show us your iRule ? that would help to find any exception
Thanks - Justin_18188when CLIENTSSL_CLIENTCERT {
set ssl_cert [SSL::cert 0]
set id [SSL::sessionid]
session add ssl $id $ssl_cert 900
}
when HTTP_RESPONSE {
if { [info exists certStr] } {
HTTP::header insert "Set-Cookie: ClientZ=$certStr; Path=/"
}
if { [info exists ssl_dn] } {
HTTP::header insert "Set-Cookie: SSL_CLIENT_DN=$ssl_dn; Path=/"
}
}
when HTTP_REQUEST {
set my_uri [string tolower [HTTP::uri]]
if {( $my_uri starts_with "/console") || ($my_uri starts_with "/soafportalwebproject")} {
if {! [HTTP::cookie exists ClientZ] } {
set id [SSL::sessionid]
set cert [session lookup ssl $id]
if { $cert ne "" } {
set certStr [X509::whole $cert]
set ssl_dn [X509::subject $cert]
remove unwanted formatting.
regsub -all "\n" $certStr "" certStr
set certStr [string trimleft $certStr "-----BEGIN CERTIFICATE-----"]
set certStr [string trimright $certStr "-----END CERTIFICATE-----"]
if certStr is blank...
if { $certStr equals "" } {
log local0. "no certStr... Deleting Session 11"
session delete ssl $id
}
}
} else {
set certStr [HTTP::cookie ClientZ]
}
if { [info exists certStr] } {
if { $certStr ne "" } {
HTTP::header insert WL-Proxy-Client-Cert $certStr
HTTP::header insert WL-Proxy-Client-Keysize 128
HTTP::header insert WL-Proxy-Client-Secretkeysize 128
}
}
if { [info exists ssl_dn] } {
if { $ssl_dn ne "" } {
HTTP::header insert SSL_CLIENT_DN $ssl_dn
}
}
HTTP::header insert WL-Proxy-SSL true
HTTP::header insert WL-Proxy-Client-IP [IP::client_addr]
}
} - Justin_18188Anyone offer any help?