Forum Discussion
RiverFish
Jun 04, 2014Altostratus
Turn off client auth if uri equals
Customers connect to one IP. They connect with an app, not a browser. They use port 5443 to register (obtain a cert we issue) for the service, and port 443 for the actual service.
register: https:/...
Kevin_Stewart
Employee
Try this (minor update):
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] < 1 } {
if the client did not present a certificate - fail
reject
} else {
do something with the cert here
}
HTTP::release
}
when CLIENT_ACCEPTED {
set default_pool [LB::server pool]
}
when HTTP_REQUEST {
non-registration URI space requested and F5AUTH cookie does not exist - prompt for client certificate
if { not ( [HTTP::uri] equals "/favicon.ico" ) and not ( [HTTP::uri] starts_with "/register" ) and not ( [HTTP::cookie exists F5AUTH] ) } {
invalidate SSL and renegotiate
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
} elseif { [HTTP::cookie exists F5AUTH] } {
F5AUTH cookie exists - send HTTP header data
if { [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]] ne "" } {
HTTP::header replace X-CLIENT-CERT [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]]
}
}
if { [HTTP::uri] starts_with "/register" } {
pool local-pool-2
} else {
pool $default_pool
}
}
when HTTP_REQUEST_SEND {
clientside {
if { ( [SSL::cert count] > 0 ) and not ( [HTTP::cookie exists F5AUTH] ) } {
generate a GUID
set uniqueid "_[string range [AES::key 256] 34 end]"
add cert to local session table
table add -subtable CERTDATA $uniqueid [X509::subject [SSL::cert 0]]
}
}
}
when HTTP_RESPONSE {
if the uniqueid variable is set - send the F5AUTH cookie to client
if { [info exists uniqueid] } {
HTTP::header insert "Set-Cookie" "F5AUTH=$uniqueid; path=/; secure; HTTPOnly"
unset uniqueid
}
}
iamsajjad
Jun 27, 2023Cirrus
Dumb questions:
1. Whats' the purpose of HTTP::release? What's the harm not adding this?
2. Why should we do SSL::session invalidate when we are doing SSL::renogotiate
3. What happens if we skip add F5AUTH Cookie portions? clientside if SSL::cert count > 1 we insert filed values
Thank you!
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects