Forum Discussion

WagnerFS_250521's avatar
WagnerFS_250521
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

SSL Profile for URI

Hi all,   My case   1- We have a virtual server that meets SSL requests (443) without requirir client certificate for connection; 2- Now we need to set up this Virtual Server uri one that start...
application delivery
iRules
LTM
ssl profile
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 24, 2016

Hi WagnerFS,

 

you may try the code below as a starting point...

 

when CLIENTSSL_CLIENTCERT { 
    if { [SSL::cert count] > 0 } { 
        log -noname local0.debug "Client cert is OK; releasing HTTP request." 
        HTTP::release 
    }
}
when HTTP_REQUEST {
    if { [string tolower [[HTTP::uri]] starts_with "/context" } then {
        log -noname local0.debug "Certificate required for: [HTTP::uri]" 
        if { [SSL::cert count] == 0} { 
            log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
            HTTP::collect 
            SSL::authenticate always 
            SSL::authenticate depth 9 
            SSL::cert mode require 
            SSL::renegotiate 
        }
    }
}

Note: Tweak your Client SSL Profile so that it trust and avertises just the desired CA chain.

 

Cheers, Kai