Forum Discussion
Christopher_Hep
Nimbostratus
NimbostratusRedirect based on OCSP Denied
I need some help with a situation for which an iRule is probably required:
Configuration:
- BigIP running 9.1.1.
- Client Authentication module enabled.
- Pool with two https servers.
- SSL authentication on BigIP.
- Client authentication through OCSP responder.
Process:
- User connects to VIP on BigIP.
- BigIP checks user revocation status through an OCSP responder.
- If responder test passes, BigIP connected client to balanced pool.
- If responder test fails, an http message send to user, who sees a default generic failure page.
Issue:
- The customer needs a custom page presented to user stating that the reason they did not get the requested page was due to authentication failure.
Question:
- How do I direct the traffic between the user and the pool based on a conversation between the BigIP and the OCSP responder?
Thanks - Chris
1 Reply
- Hi Chris -
I would think you could leverage the AUTH_FAILURE event to manage that condition and have LTM serve up an appropriate response.
Here's an example of an iRule that should have worked: http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=7689 Click here
This poster was having difficulty getting it to work, but they were running 9.2, and there were several pieces of SSL::cert that worked fine in 9.1 (maint release) that didn't work in 9.2 (feature release).
So I'd say it's worth trying on 9.1. If you are not successful, post back on the thread above.
HTH
/deb
