For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

faizan123_23330's avatar
faizan123_23330
Icon for Nimbostratus rankNimbostratus
Sep 05, 2016

SSL mutual authentication against the pool

we have configured a HTTPS virtual server on the f5 and we add a proxy pass(i-rule) and client side SSL certificate against that server.   in the i rule we have configured   when HTTP_REQUE...
application delivery
BIG-IP
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 05, 2016

The point is, at the moment that you need to make an SSL decision, whether or not to require a client certificate, you haven't yet decrypted the application layer (HTTP), so you don't have access to the URL. iRule events work just like the OSI model. So at layer 6, you have access to all of the information available at layers 6 and below, which would include ClientHello SNI, ports, IP addresses, etc.

So you could make an SSL handshake decision based on the source or destination address, or the SNI in the client's ClientHello message. Or, you could direct all traffic to your regular VIP with the above iRule, and then redirect requests to a specific URL to another VIP that does mutual authentication.

when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::uri]] { 
        "/ABC" { 
            pool ABC 
            HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end] 
        } 
        "/DEF" { 
            pool DEF 
            HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end] 
        } 
        "/GHI*" { 
            HTTP::redirect "https://mutual-auth-vip.domain.com"
        }
    }
}