Request client cert based on URI access
I've been dredging devcentral and built 4 or 5 iterations of an iRule with mixed success. I made a good break through but then the scope creeped and I'm back at step 1.
I am attempting to develop an iRule that will limit access to certain URIs based upon the client providing a certificate. The trick is users can only be prompted to provide a certificate when they access the specific URI. I've started fresh using the example provided here;
http://devcentral.f5.com/wiki/iRule...ation.ashx
I've obfuscated some data but nothing critical to the running of the iRule. I've also changed the outcome - I just want the PEM encoded cert inserted in the header (processing occurs on the application server).
In its current form - the connection seems to 'hang' which makes me think the HTTP::release isn't happening.
Here is where I am now;
Initialize the variables on new client tcp session.
when CLIENT_ACCEPTED {
set collecting 0
set renegtried 0
}
Runs for each new http request
when HTTP_REQUEST {
if { $renegtried == 0 and [SSL::cert count] == 0 and ( [HTTP::uri] equals "/URI/ClientCert" ) } {
HTTP::collect
set collecting 1
SSL::cert mode request
SSL::renegotiate
}
}
when CLIENTSSL_HANDSHAKE {
if { $collecting == 1 } {
set renegtried 1
HTTP::release
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } then {
set a variable for the whole cert - cut out the BEGIN and END crap though
set ssl_cert_whole [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0] ] ] "" ]]
log to show we are receiving the cert
log local0. "Client Certificate: [X509::subject [SSL::cert 0]]"
insert the whole cert as a header
HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" $ssl_cert_whole
} else {
log local0. "Restricted zone. No client cert detected - redirecting."
HTTP::redirect "https://error.com";
}
}
}
Any help would be awesome.