Forum Discussion
RiverFish
Altostratus
AltostratusTurn off client auth if uri equals
Customers connect to one IP. They connect with an app, not a browser. They use port 5443 to register (obtain a cert we issue) for the service, and port 443 for the actual service.
register: https:/...
Kevin_Stewart
Employee
EmployeeOkay, I've made some improvements. I was getting random faults using the table command in HTTP_REQUEST_SEND. Also notice that I've added the registration pool definition at the top as a global variable, and that you can insert multiple certificate values (if you need to).
when RULE_INIT {
user-defined: registation pool
set static::REGPOOL "local-pool-2"
}
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] < 1 } {
if the client did not present a certificate - fail
reject
} else {
set a temporary cert variable here
set clientcertdata [X509::subject [SSL::cert 0]]
multiple cert values could be inserted as a list of lists: [list [list name value] [list name value]]
example:
set clientcertdata [list [list "CertSubject" [X509::subject [SSL::cert 0]]] [list "CertIssuer" [X509::issuer [SSL::cert 0]]]]
}
HTTP::release
}
when CLIENT_ACCEPTED {
set default_pool [LB::server pool]
}
when HTTP_REQUEST {
non-registration URI space requested and F5AUTH cookie does not exist - prompt for client certificate
if { not ( [HTTP::uri] equals "/favicon.ico" ) and not ( [HTTP::uri] starts_with "/private" ) and not ( [HTTP::cookie exists F5AUTH] ) } {
invalidate SSL and renegotiate
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
} elseif { [HTTP::cookie exists F5AUTH] } {
F5AUTH cookie exists - send HTTP header data
if { [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]] ne "" } {
insert cert subject
HTTP::header replace SSLClientCertSubject [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]]
if choosing to use a list of cert data:
foreach x [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]] {
HTTP::header replace [lindex $x 0] [lindex $x 1]
}
}
}
if { [HTTP::uri] starts_with "/private" } {
pool $static::REGPOOL
} else {
pool $default_pool
}
}
when HTTP_REQUEST_SEND {
clientside {
if { ( [info exists clientcertdata] ) and not ( [HTTP::cookie exists F5AUTH] ) } {
send first header
HTTP::header replace SSLClientCertSubject $clientcertdata
if choosing to use a list of cert data:
foreach x $clientcertdata {
HTTP::header replace [lindex $x 0] [lindex $x 1]
}
}
}
}
when HTTP_RESPONSE {
if the uniqueid variable is set - send the F5AUTH cookie to client
if { [info exists clientcertdata] } {
generate a GUID
set uniqueid "_[string range [AES::key 256] 34 end]"
insert the table entry
table add -subtable CERTDATA $uniqueid $clientcertdata 3600
send the cookie
HTTP::header insert "Set-Cookie" "F5AUTH=$uniqueid; path=/; secure; HTTPOnly"
unset the clientcertdata variable
unset clientcertdata
}
}