For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Matt_108491's avatar
Matt_108491
Icon for Nimbostratus rankNimbostratus
Dec 03, 2008

Some basic iRule questions

 

I am a little new to irules so I could get some advice I would appriciate it.

 

 

I have traffic moving through an F5 LTM and it uses client side authentication.

 

 

There is an I rule configured that works as follows

 

This is existing and seems to work - the idea is to put the cert subject dn into an http header -

 

 

 

when CLIENTSSL_CLIENTCERT {

 

 

set subject_dn [X509::subject [SSL::cert 0]]

 

 

}

 

when HTTP_REQUEST {

 

 

Insert user header

 

HTTP::header insert user $subject_dn

 

 

set names [HTTP::header names]

 

foreach name $names {

 

set val [HTTP::header value $name]

 

log local0. " $name: $val"

 

}

 

}

 

 

I would like to do two additonal steps

 

 

1. Redirect the request to a new URI IF the URL matches a pattern for example

 

 

2. Put the origninal URL and URI in a second head which for the sake of discussion I will call mytarget.

 

 

 

so essentially I am trying to modify the above rule too do the following

 

 

if the users goes to *.example.com/ AND the $subject_dn is populated

 

 

send them store *.example.com/ in a header and redirect them to the same *.example.com/redirect

 

 

 

 

 

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 03, 2008
    What are you trying to accomplish with the changes to the iRule?

     

     

    If the application (or LTM) sets an arbitrary HTTP header in a response, the client will not include that same header in a subsequent request. You could try setting a cookie with the subject DN as the cookie value. The client would automatically include the cookie in requests assuming they support cookies. But a malicious client could modify the cookie value. So you could encrypt the cookie value in responses and decrypt it on requests. Another option would be to store the cert information in the session table, using the session command (Click here). There are examples of this in the Codeshare:

     

     

    Insert Cert In Server Headers

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

     

     

    Aaron
  • Matt_108491's avatar
    Matt_108491
    Icon for Nimbostratus rankNimbostratus
    Dec 03, 2008

     

    The reason for the aribtrary header is that the redirect sends this request to another proxy which uses both pieces of information.

     

     

    The Flow is:

     

     

    (certificate)-->LTM(convert cert info to headers)-->Proxy--->Website

     

     

    Since LTM is consuming the certificate which the Proxy used to use. relevent information is being stored in a header.

     

     

    The mytarget header contains the orignial intended URL which the proxy will then pass the user onto.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 05, 2008
    I can understand why you'd want to insert the client cert in the headers if the SSL decryption is being moved to the BIG-IP. But I'm not sure about the URI. Wouldn't the proxy see the original requested URI? Or do you want to change this on the BIG-IP and insert the original URI in a header?

     

     

    Aaron