Forum Discussion
RiverFish
Altostratus
AltostratusTurn off client auth if uri equals
Customers connect to one IP. They connect with an app, not a browser. They use port 5443 to register (obtain a cert we issue) for the service, and port 443 for the actual service.
register: https:/...
Kevin_Stewart
Employee
EmployeeThis sort of thing becomes a bit easier with APM, but here's an iRule that comes close to the same functionality:
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] < 1 } {
if the client did not present a certificate - fail
reject
} else {
do something with the cert here
}
HTTP::release
}
when HTTP_REQUEST {
non-registration URI space requested and F5AUTH cookie does not exist - prompt for client certificate
if { not ( [HTTP::uri] equals "/favicon.ico" ) and not ( [HTTP::uri] starts_with "/register" ) and not ( [HTTP::cookie exists F5AUTH] ) } {
invalidate SSL and renegotiate
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
} elseif { [HTTP::cookie exists F5AUTH] } {
F5AUTH cookie exists - send HTTP header data
if { [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]] ne "" } {
HTTP::header replace X-CLIENT-CERT [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]]
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { ( [SSL::cert count] > 0 ) and not ( [HTTP::cookie exists F5AUTH] ) } {
generate a GUID
set uniqueid "_[string range [AES::key 256] 34 end]"
add cert to local session table
table add -subtable CERTDATA $uniqueid [X509::subject [SSL::cert 0]]
}
}
}
when HTTP_RESPONSE {
if the uniqueid variable is set - send the F5AUTH cookie to client
if { [info exists uniqueid] } {
HTTP::header insert "Set-Cookie" "F5AUTH=$uniqueid; path=/; secure; HTTPOnly"
unset uniqueid
}
}
Configure your client SSL profile to ignore client certificates. The above iRule will trigger an SSL renegotiation for any URL that isn't in the /register namespace, and if the F5AUTH cookie does not exist. Once the client has presented a certificate, the F5AUTH cookie is written to the client so that the routine is never triggered again. The iRule also creates a session table entry, based on the unique ID of the F5AUTH cookie, so that you can store certificate data for later requests.