Forum Discussion
AlexS_yb
Cirrocumulus
Cirrocumulusrequest logging profile want to log client certificate details
Hi
I am setting a requets logging profile and I want to log the client certificate that was associated with the request that comes through.
I have a irule that adds it as a header to pool, but that doesn't seems to be available in the request portition and the backend server doesn't send it back
how can I access client cert information in request-log
Seems like there is an enginerring request to get client cert info into requet-log.
So for now, I have to rewrite as a irule
- JRahm
Admin
can you sanitize what you have with your logging profile and iRule and post where you are?
AlexS_ybtmsh create ltm profile request-log ybrequest-log-20220126
tmsh modify ltm profile request-log ybrequest-log-20220126 app-service none defaults-from ybrequest-log \
#
#request-log-template '$BIGIP_HOSTNAME , $VIRTUAL_NAME , "$\{Host\}",RQ,$CLIENT_IP,$CLIENT_PORT,$DATE_NCSA,$HTTP_METHOD,$HTTP_URI,$HTTP_VERSION,\"${User-agent}\",\"${X-Forwarded-SSL-cert-subject}\","$\{YBID\}","$\{ybmethod\}","$\{DEBTSTHREAD\}"' \
#response-log-template '$BIGIP_HOSTNAME , $VIRTUAL_NAME , "$\{Host\}",RS,$CLIENT_IP,$CLIENT_PORT,$DATE_NCSA,$HTTP_METHOD,$HTTP_URI,$HTTP_VERSION,\"${User-agent}\",\"${X-Forwarded-SSL-cert-subject}\","$\{YBID\}","$\{ybmethod\}","$\{DEBTSTHREAD\}",$VIRTUAL_POOL_NAME,$SERVER_IP,$SERVER_PORT,$SNAT_IP,$SNAT_PORT,$HTTP_STATCODE,$RESPONSE_SIZE,$RESPONSE_MSECS,"$\{X-time\}"'
#is the header added by the irule
X-Forwarded-SSL-cert-subject
the irule looks something like
set certsubject [X509::subject $cert]
HTTP::header insert X-Forwarded-SSL-DN $certsubjectNot sure why thus makes a difference. The general question is how to log client cert info in request-log
- AlexS_yb
Seems like there is an enginerring request to get client cert info into requet-log.
So for now, I have to rewrite as a irule
