Forum Discussion

Maudigan's avatar
Maudigan
Icon for Altocumulus rankAltocumulus
Dec 02, 2023
Solved

OCSP HTTP Header Specification/Example or field name of EDIPI?

Our application identifies users by the EDIPI passed in header. I'm coding this without having access at the moment so im relying heavily on documentation instead of trial and error; I can't find doc...
security
  • Maudigan's avatar
    Maudigan
    Dec 04, 2023

    Lucas, thanks for the detailed response. Your assumptions are correct. I had seen that post you linked when I was searching and had dismissed it as unrelated to what I was looking for for. I had been lead to believe that the process you just described was sort of automatic, that simply by being in the F5 and using HTTPS that the x509 info would automatically be inserted into the HTTP request header and forwarded to the server.

    I thought I was just missing the finer details, but I apparently really am missing the overarching architecture of how this will work! I think the important take away from your code is that I can name the EDIPI whatever I want in the request header. That's enough to let me start writing my PHP. So thanks! 

    I think I followed your code fine, but am entirely unfamiliar with the syntax/language. Am I right to assume that my server admins will have access to an F5 console where I'd have to get them to setup rules for how we want our connections to be managed, and the script your provided is an example of one of those handling rules?

  • Lucas_Thompson's avatar
    Lucas_Thompson
    Dec 04, 2023

    Great! sounds like you're on the right track.

    The language that BIG-IPs use for network programmability is a flavor of TCL called "iRules". In a nutshell, you write code blocks like "When this event happens, do these commands", then you attach that code to a virtual server. iRules support passing data between events using variables. In this way, almost any conceivable use case or data translation is possible.

    Events: https://clouddocs.f5.com/api/irules/Events.html

    Commands: https://clouddocs.f5.com/api/irules/Commands.html

    You can read more about irules here:

    https://community.f5.com/t5/technical-articles/getting-started-with-irules-events-amp-priorities/ta-p/290543

     

Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee

I'm assuming that:

1- The F5 is performing the SSL negotitation with the client's CAC

2- You want to transform the ID in the X509 to a HTTP header and pass it along to the backend server which can read it

 

So you need to capture the X509 information. There is some information about that here:

https://community.f5.com/t5/technical-forum/forwarding-of-x509-http-header-to-application-after-termination/td-p/100895

Then you need to add that header into the transaction using the HTTP::header commmand at either the HTTP_REQUEST or HTTP_REQUEST_RELEASE event. I prefer the latter because it always happens right before we send the request to the backend server.

So a complete irule might look something like this. I used "x-edipi" (custom headers are usually supposed to start with "x-", but that's not a hard rule) for an example, but you'll have to figure out what header the server wants. The F5 doesn't care. A simple test of the header should prevent users from inserting their own header maliciously.

when CLIENTSSL_HANDSHAKE {
  set subj [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
  set EDIPI [string range $subj [expr [string last "." $subj] +1] end]
  log local0. "CAC Auth: Got EDIPI '$EDIPI'"
}

when HTTP_REQUEST_RELEASE {
  if { [HTTP::header exists "x-edipi"] } {
    log local0. "CAC Auth: [IP::client_addr] tried to tell us they were [HTTP::header value x-edipi ]! Drop connection."
    reject
  }
  
  if { [info exists EDIPI] } {
    log local0. "CAC Auth: [IP::client_addr] Inserting $EDIPI"
    HTTP::header replace "x-edipi" $EDIPI
  } else {
    log local0. "EDIPI data not found"
  }
}

As for the client-ssl attached to the virtual, make sure you set the user-auth to "require" (we drop connection if you don't pass the CAC auth) and your allowed-CAs to the proper ones for your CACs.

Maudigan's avatar
Maudigan
Icon for Altocumulus rankAltocumulus
Dec 04, 2023

Lucas, thanks for the detailed response. Your assumptions are correct. I had seen that post you linked when I was searching and had dismissed it as unrelated to what I was looking for for. I had been lead to believe that the process you just described was sort of automatic, that simply by being in the F5 and using HTTPS that the x509 info would automatically be inserted into the HTTP request header and forwarded to the server.

I thought I was just missing the finer details, but I apparently really am missing the overarching architecture of how this will work! I think the important take away from your code is that I can name the EDIPI whatever I want in the request header. That's enough to let me start writing my PHP. So thanks! 

I think I followed your code fine, but am entirely unfamiliar with the syntax/language. Am I right to assume that my server admins will have access to an F5 console where I'd have to get them to setup rules for how we want our connections to be managed, and the script your provided is an example of one of those handling rules?