F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Peter_Z's avatar
Peter_Z
Icon for Cirrus rankCirrus
Jun 17, 2019

Selective URL client cert authentication with OU check

I'm trying to write an iRule which requires client cert for selected URLs - similar to this one: https://devcentral.f5.com/s/articles/selective-client-cert-authentication. I need to add one extra ...
application delivery
iRules
LTM
iaine's avatar
iaine
Icon for Nacreous rankNacreous
Jul 01, 2019

Hi

I've just re-ordered your logic slightly, hopefully it helps a little

when CLIENTSSL_CLIENTCERT {
	set cert_subject [X509::subject [SSL::cert 0]]
	set cert_issuer [X509::issuer [SSL::cert 0]]
		if { ($cert_subject contains "OU=Department1") || (($cert_subject contains "OU=Department2") && ($cert_subject contains "OU=PROD")) || ( [IP::addr [getfield [IP::client_addr] "%" 1] equals 192.168.20.1 ] ) } {
		pool localhost_http
		} else {
		reject
	}
# if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
	if { [SSL::cert count] < 1 } {
	reject
	}
}
 
when HTTP_REQUEST {
	switch -glob [HTTP::uri] {
		"/test1/*" {
			if { [SSL::cert count] <= 0 } {
			SSL::authenticate always
			SSL::authenticate depth 10
			SSL::cert mode require
			SSL::renegotiate
			}
		}
	}
}