Forum Discussion
Nimbostratusmultiple applications behind one VIP and certs
CirrusI believe you'll need to wait for the HTTP_REQUEST event, because your HTTP class objects won't be setup yet in CLIENTSSL_CLIENTCERT yet, so you won't be able to check e.g. HTTP::host. You could, however, have your code populate a $issuer variable in your CLIENTSSL_CLIENTCERT section - that event will definitely fire if a client cert is provided. But I don't know that there's any extra value in doing that, vs. in the HTTP_REQUEST event, honestly.
To make your code more readable, you could certainly use switch statements instead of ifs, like discussed here: https://devcentral.f5.com/questions/using-switch-vs-if-to-clean-up-irule
It sounds like client certs are only required to access certain websites ... if so, you should make sure you have a client cert before checking issuer, so as not to incur a runtime error, e.g.
set issuer ""
if {[SSL::cert count] > 0}{
set issuer [X509::issuer [SSL::cert 0]]
}
if { $issuer contains ...
If you have multiple cases of sets of websites that should only be accessed by users providing client certs matching a specific issuer string, you can set this all up in string datagroups, and use class match statements instead of multiple if statements. That may make the code easier to read (for someone who understands "class match", that is!); and it definitely would make updating it all less error prone. it kind of depends whether you have 2, or 3, or 50 if statements - if you have 2, don't bother, 3, maybe bother, by 50 definitely bother 🙂
Depending on your timing, I believe that I read in v12 (coming soon), you'll be able to use variables as conditions in Local Traffic policies. THAT would simplify this significantly ... you could check your issuer and set a variable in a CLIENTSSL_CLIENTCERT irule, then reference that $issuer in a local traffic policy as a condition for a rule that would set the correct pool.
