Forum Discussion
Nimbostratusmultiple applications behind one VIP and certs
Hello,
I was wondering the best way to around to solve this problem. In order to preserve IP space I have started to use host headers and along with an irule to route to the same pair of webservers in a particular pool. As number of applications grew so did the complexity of using multiple certs
Here is some pseudo code along with an explanation
if { $issuer contains "CN=verisign,O=test.,L=city,ST=somestate" } { if {[HTTP:host] matches_glob "app.website.com | app.website.com | app.website.com"} {poolwebpool} else {reject} } else { if { [HTTP:host] matches_glob ".test.com | *.training..com | *.website.com | app.website.com | test.nyiso.com | test.website.com | test.website.com" } {pools webpool} else {reject} }
If The issuer contains certain info, matches on certain names, route to the webpool else reject. Basically want to reject all connections that dont present itself with specific cert. But if there is a match on the other domains route to the webpool if no match then reject.
would this be done using the HTTP_REQUEST event or the Clientssl_cleintcert event.
Any help would be very welcomed
Thanks
4 Replies
natheCirrocumulus
Could you use X509::issuer? see Validate Certificate Common Name and Revocation Status and X509::issuer
Hope this helps,
N
- daboochmeister
Cirrus
I believe you'll need to wait for the HTTP_REQUEST event, because your HTTP class objects won't be setup yet in CLIENTSSL_CLIENTCERT yet, so you won't be able to check e.g. HTTP::host. You could, however, have your code populate a $issuer variable in your CLIENTSSL_CLIENTCERT section - that event will definitely fire if a client cert is provided. But I don't know that there's any extra value in doing that, vs. in the HTTP_REQUEST event, honestly.
To make your code more readable, you could certainly use switch statements instead of ifs, like discussed here: https://devcentral.f5.com/questions/using-switch-vs-if-to-clean-up-irule
It sounds like client certs are only required to access certain websites ... if so, you should make sure you have a client cert before checking issuer, so as not to incur a runtime error, e.g.
set issuer "" if {[SSL::cert count] > 0}{ set issuer [X509::issuer [SSL::cert 0]] } if { $issuer contains ...If you have multiple cases of sets of websites that should only be accessed by users providing client certs matching a specific issuer string, you can set this all up in string datagroups, and use class match statements instead of multiple if statements. That may make the code easier to read (for someone who understands "class match", that is!); and it definitely would make updating it all less error prone. it kind of depends whether you have 2, or 3, or 50 if statements - if you have 2, don't bother, 3, maybe bother, by 50 definitely bother 🙂
Depending on your timing, I believe that I read in v12 (coming soon), you'll be able to use variables as conditions in Local Traffic policies. THAT would simplify this significantly ... you could check your issuer and set a variable in a CLIENTSSL_CLIENTCERT irule, then reference that $issuer in a local traffic policy as a condition for a rule that would set the correct pool.
Stanislas_Piro2Cumulonimbus
Hi,
When reading the irule, there is a reference of issuer which let us think you are doing client cert authentication.
but when reading other explanation, i'm not sure the goal is to authenticate client with certificate.
Do you expect to select certificate based on requested URL. this feature is called Server name indication (SNI).
As SNI is based on clientssl profile, you can define client cert authentication with dedicated allowed CA for every client SSL profile.
bigipjr28_13978I have modified the irule and now works. I was in the wrong event type and figured out how the else statement should be handled with the domains also had to use || instead of "or" when deciding the domain name. This issues can be considered solved
Thanks for the input
