JoseCC_320098
Jun 05, 2017Nimbostratus
Uri-based client cert authentication question
Hi, I need to configure a virtual server with selective client cert authentication based on URI.
In case user select cert auth the uri changes to /myweb/secure/, F5 should request client cert, renegotiate SSL and insert client cert into HTTP header so the back-end server can read client cert. There is quite a lot of info and posts about this feature, which I've readed. I've config VS, SSL profile (client) and irule but I just can't make this work.SSL profile client:
- renegotiation enabled
- client authentication
- client certificate: ignore
- frequency: once
- trusted certificate authorities & advertised cert: bundle of client cert CA
irule:
when CLIENTSSL_CLIENTCERT {
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/myweb/secure/" } {
if { [SSL::cert count] == 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert "x-clientcert" [X509::whole [SSL::cert 0]]
}
}
}
I'm not sure whether /myweb/secure/ path is ever accesible, since there is no browser pop-up requesting the client certificate. I really can't figure this out, any hints would be most appreciated. Thanks a lot for your time and help.