Client Authentication Based On URI
Hello,
Currently, to configure client authentication on a URI, we create 2 client SSL profiles (one of which is parent for the other) and 2 iRules that check a data group against the URI list. The client SSL profile (not parent) is attached to virtual server on secure port along with the iRule. The second iRule is checking for the URI in the data group and redirects to https:// and is attached to the non-secure virtual server.
Parent SSL profile is configured with certificate bundle in Client Authentication for both Trusted Certificate Authorities and Advertised Certificate Authorities.
Everything works as expected, but looks complex. I have a feeling the above setup could be put into just one iRule without even having a data group created since there is only one URI that needs to be secured with the client authentication.
I have used the iRule from https://devcentral.f5.com/articles/selective-client-cert-authentication but can't make it work.
when CLIENTSSL_CLIENTCERT {
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
if { [HTTP::uri] contains [string tolower "/secureapi"] } {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-SSL-Session-ID" [SSL::sessionid]
HTTP::header insert "X-SSL-Client-Cert-Status" [X509::verify_cert_error_string [SSL::verify_result]]
HTTP::header insert "X-SSL-Client-Cert-Subject" [X509::subject [SSL::cert 0]]
HTTP::header insert "X-SSL-Client-Cert-Issuer" [X509::issuer [SSL::cert 0]]
}
}
}
Thanks for your time and help!