Forum Discussion
Matt_108491
Nimbostratus
NimbostratusSome basic iRule questions
I am a little new to irules so I could get some advice I would appriciate it.
I have traffic moving through an F5 LTM and it uses client side authentication.
There is an I rule configured that works as follows
This is existing and seems to work - the idea is to put the cert subject dn into an http header -
when CLIENTSSL_CLIENTCERT {
set subject_dn [X509::subject [SSL::cert 0]]
}
when HTTP_REQUEST {
Insert user header
HTTP::header insert user $subject_dn
set names [HTTP::header names]
foreach name $names {
set val [HTTP::header value $name]
log local0. " $name: $val"
}
}
I would like to do two additonal steps
1. Redirect the request to a new URI IF the URL matches a pattern for example
2. Put the origninal URL and URI in a second head which for the sake of discussion I will call mytarget.
so essentially I am trying to modify the above rule too do the following
if the users goes to *.example.com/ AND the $subject_dn is populated
send them store *.example.com/ in a header and redirect them to the same *.example.com/redirect
hoolioCirrostratus
What are you trying to accomplish with the changes to the iRule?
If the application (or LTM) sets an arbitrary HTTP header in a response, the client will not include that same header in a subsequent request. You could try setting a cookie with the subject DN as the cookie value. The client would automatically include the cookie in requests assuming they support cookies. But a malicious client could modify the cookie value. So you could encrypt the cookie value in responses and decrypt it on requests. Another option would be to store the cert information in the session table, using the session command (Click here). There are examples of this in the Codeshare:
Insert Cert In Server Headers
http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html
Aaron
Matt_108491
The reason for the aribtrary header is that the redirect sends this request to another proxy which uses both pieces of information.
The Flow is:
(certificate)-->LTM(convert cert info to headers)-->Proxy--->Website
Since LTM is consuming the certificate which the Proxy used to use. relevent information is being stored in a header.
The mytarget header contains the orignial intended URL which the proxy will then pass the user onto.- hoolioI can understand why you'd want to insert the client cert in the headers if the SSL decryption is being moved to the BIG-IP. But I'm not sure about the URI. Wouldn't the proxy see the original requested URI? Or do you want to change this on the BIG-IP and insert the original URI in a header?
Aaron