Forum Discussion
Miguel_61449
Nimbostratus
NimbostratusSSL Client Profile based on the URL
Hello group,
I am working with the following iRule, the goal I pursue is the following, the iRule must make the client certificate authentication done via the SSL Client Profile A or B based on the URL requested by the user . The difference between Client SSL profiles A and B is the CA that issued the client certificate.
When SSL client profile is selected and the user is authenticated , the certificate must be sent to the backend server in a header named x-client-cert.
I do not know the way to select the correct SSL Client Profile based on the URL, I even don’t know if it's possible to do that. I wonder if anyone has done this at some point and I will appreciate if anyone can help me with this.
The iRule I’m working on:
-------------------------------
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert 1000
}
when HTTP_REQUEST {
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert eq ""} {
SSL::renegotiate
} else {
HTTP::header remove x-client-cert
HTTP::header remove clientcert-xml
HTTP::header insert x-client-cert [b64encode $client_cert]
log local0. "File: [HTTP::path] x-client-cert: [string range [b64encode $client_cert] 0 10] ..."
}
if {[HTTP::header exists X-Forwarded-For] }{
HTTP::header replace X-Forwarded-For "[HTTP::header x-forwarded-for], [IP::client_addr]"
} else {
HTTP::header insert x-forwarded-for [IP::client_addr]
}
}
-------------------------------
Thanks you!
Miguel.
4 Replies
hoolioCirrostratus
Hi Miguel,
You might be able to just add both CA root certs to the same bundle and configure that in the client SSL profile.
If that doesn't work, you could potentially select the client SSL profile based on the requested URI. You'd need to use SSL::renegotiate after parsing the URI to determine which client SSL profile to select. You could then call SSL::profile to select that profile. Here are the related wiki pages for this:
http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__renegotiate
http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__profile
Here is a rough, untested idea of what the SSL renegotiation might look like:when HTTP_REQUEST { Check the requested path switch -glob [HTTP::path] { "/profile1_uri/*" { HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate SSL::profile profile1_clientssl } "/profile2_uri/*" { HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate SSL::profile profile2_clientssl } } }
If you try this, add some debug logging, test with a client cert from each CA and reply back with details of any issues you encounter.
Aaron
Miguel_61449Thanks you Aaron!
I will try to implement this with my iRule and I will post here my founds.
Best regards,
Miguel Angel.- Miguel_61449Hi,
I have try the iRule but I have found that the command SSL::profile is not allowed on the event HTTP_REQUEST, the SSL::profile command is only allowed on the CLIENT_ACCEPTED and SERVER_CONNECTED events, so i need to figure out how to implement this, any idea?
Thanks,
Miguel Angel. - JRahm
Admin
you might need to wrap the SSL::profile in an eval command.
