Forum Discussion
Peter_Z
Cirrus
CirrusSelective URL client cert authentication with OU check
I'm trying to write an iRule which requires client cert for selected URLs - similar to this one: https://devcentral.f5.com/s/articles/selective-client-cert-authentication. I need to add one extra ...
iaine
Nacreous
NacreousHi
I've just re-ordered your logic slightly, hopefully it helps a little
when CLIENTSSL_CLIENTCERT {
set cert_subject [X509::subject [SSL::cert 0]]
set cert_issuer [X509::issuer [SSL::cert 0]]
if { ($cert_subject contains "OU=Department1") || (($cert_subject contains "OU=Department2") && ($cert_subject contains "OU=PROD")) || ( [IP::addr [getfield [IP::client_addr] "%" 1] equals 192.168.20.1 ] ) } {
pool localhost_http
} else {
reject
}
# if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/test1/*" {
if { [SSL::cert count] <= 0 } {
SSL::authenticate always
SSL::authenticate depth 10
SSL::cert mode require
SSL::renegotiate
}
}
}
}