For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KimiLi_147173's avatar
KimiLi_147173
Icon for Nimbostratus rankNimbostratus
Apr 04, 2019

Require client authentication once based on specific FQDN

Hi all,   I got a vs on LTM with SSL offload, which accepts client requests with multiple FQDN in http header.   Is that possible I'd have an irule which requires client SSL certificate authent...
application delivery
iRules
LTM
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 04, 2019

Hi,

First of configure you ssl client with the following parameters:

  • authenticate always
  • authenticate depth 9
  • cert mode request
  • renegotiate

don't forget to set "Trusted Certificate Authorities" and "Advertised Certificate Authorities" with right CA...

Simple Irule for begin:

when CLIENTSSL_CLIENTCERT {

set auth 0
 Check if client provided a cert
if {[SSL::cert 0] eq ""}{
     Reset the connection
    set auth 0
} else {
    Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
    set subject_dn [X509::subject [SSL::cert 0]]
    log "Client Certificate Received: $subject_dn"
    set cert [b64encode [SSL::cert 0]]
    set auth 1
   }
}



when HTTP_REQUEST {

switch -glob [string tolower [HTTP::host]] {
    "app.mydomain.com" {
        if {$auth == 0} {
            HTTP::respond 403 content "Forbidden" "Content-Type" "text/html" "Connection" "Close"
        }
    }
    "app.mydomain.com" {
        if {$auth == 0} {
            HTTP::respond 403 content "Forbidden" "Content-Type" "text/html" "Connection" "Close"
        }
    }
    default {
         don nothing
    }
}
}

You have also this interesting post:

https://devcentral.f5.com/articles/selective-client-cert-authentication

You just have to change URI by Hostname...

regards,