For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

faizan123_23330's avatar
faizan123_23330
Icon for Nimbostratus rankNimbostratus
Sep 05, 2016

SSL mutual authentication against the pool

we have configured a HTTPS virtual server on the f5 and we add a proxy pass(i-rule) and client side SSL certificate against that server.   in the i rule we have configured   when HTTP_REQUE...
application delivery
BIG-IP
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 05, 2016

The idea here is that all users will initially go to your "proxy-pass" application VIP, and as soon as someone requests "/GHI*", they'd get redirected to a second VIP that performs mutual authentication. You're just adding a separate VIP and separate client SSL profile, and probably a second DNS entry to point to this separate VIP.

 

I did make a typo in the last code example though. I added [string tolower ] in the switch condition, but didn't make the conditions lower case. Here's a better example:

 

when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::uri]] { 
        "/abc" { 
            pool ABC 
            HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end] 
        } 
        "/def" { 
            pool DEF 
            HTTP::uri [string range [HTTP::uri] [string first "/" [HTTP::uri] 1] end] 
        } 
        "/ghi*" { 
            HTTP::redirect "https://mutual-auth-vip.domain.com"
        }
    }
}