Doing mTLS Authentication per URL
A customer asked if F5 supports mTLS Authentication per URL because some firewall vendors do not support this use case. At first, I thought it seems not possible because mTLS works at the lower OSI l...
Published Dec 05, 2022
Version 1.0
joko_yuliantoro
Employee
Employee
joko_yuliantoroEmployee
EmployeeHi jhosseini ,
The non-sensitive URL is identified after the mTLS handshake is completed. As mentioned in the article, mTLS is processed before the HTTP layer. It is not possible to remove the client certificate request during mTLS handshake when the client even has not sent the HTTP request containing the URI.
The above solution still allows clients who establish mTLS connections without client certificate and request for non-sensitive URL. This is because the VS' ClientSSL profile is configured with "request" flag and the client is free to ignore the request. The VS will still allow clients coming in without client certificate.