Forum Discussion
Uri-based client cert authentication question
Hi, I need to configure a virtual server with selective client cert authentication based on URI.
In case user select cert auth the uri changes to /myweb/secure/, F5 should request client cert, renegotiate SSL and insert client cert into HTTP header so the back-end server can read client cert. There is quite a lot of info and posts about this feature, which I've readed. I've config VS, SSL profile (client) and irule but I just can't make this work.SSL profile client:
- renegotiation enabled
- client authentication
- client certificate: ignore
- frequency: once
- trusted certificate authorities & advertised cert: bundle of client cert CA
irule:
when CLIENTSSL_CLIENTCERT {
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/myweb/secure/" } {
if { [SSL::cert count] == 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert "x-clientcert" [X509::whole [SSL::cert 0]]
}
}
}
I'm not sure whether /myweb/secure/ path is ever accesible, since there is no browser pop-up requesting the client certificate. I really can't figure this out, any hints would be most appreciated. Thanks a lot for your time and help.
- spalandeNacreous
iRule and clientssl profile settings looks fine. Check if clientssl profile has any parent SSL profile configured that might overwrite some of the settings from the parent profile and cause the issue. Try logging as much as possible in iRule to see what's happening.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com