Forum Discussion

Maudigan's avatar
Maudigan
Icon for Altocumulus rankAltocumulus
Dec 02, 2023

OCSP HTTP Header Specification/Example or field name of EDIPI?

Our application identifies users by the EDIPI passed in header. I'm coding this without having access at the moment so im relying heavily on documentation instead of trial and error; I can't find documentation.

From what I understand, the cert information will just be available to me in the header, and I can trust it. So I should just grab their EDIPI and check my user tables to see who is associated with that EDIP then I mark them as logged in. (Side question, do I need to check their revoked status? Does a revoked cert still get forwarded to our application or are they redirected by F5?)

I'm using PHP to check the headers. I already know how to get the header information and grab values from it. What I don't know is what the EDIPI key/index is. I can't find documentation or examples of the headers.

I've have however found the GCDS documentation and an example dump of the headers. In that case of GCDS, the EDIPI key is 'cert-edipi'. Is that a standard naming convention that would be the same for F5?

 

If anyone can point me to an example of an HTTP header, or better-yet the documentation of the fields and their definitions that would be super helpful. If lieu of that, what's the name of the EDIPI field in the HTTP header?

  • Maudigan's avatar
    Maudigan
    Dec 04, 2023

    Lucas, thanks for the detailed response. Your assumptions are correct. I had seen that post you linked when I was searching and had dismissed it as unrelated to what I was looking for for. I had been lead to believe that the process you just described was sort of automatic, that simply by being in the F5 and using HTTPS that the x509 info would automatically be inserted into the HTTP request header and forwarded to the server.

    I thought I was just missing the finer details, but I apparently really am missing the overarching architecture of how this will work! I think the important take away from your code is that I can name the EDIPI whatever I want in the request header. That's enough to let me start writing my PHP. So thanks! 

    I think I followed your code fine, but am entirely unfamiliar with the syntax/language. Am I right to assume that my server admins will have access to an F5 console where I'd have to get them to setup rules for how we want our connections to be managed, and the script your provided is an example of one of those handling rules?

  • Great! sounds like you're on the right track.

    The language that BIG-IPs use for network programmability is a flavor of TCL called "iRules". In a nutshell, you write code blocks like "When this event happens, do these commands", then you attach that code to a virtual server. iRules support passing data between events using variables. In this way, almost any conceivable use case or data translation is possible.

    Events: https://clouddocs.f5.com/api/irules/Events.html

    Commands: https://clouddocs.f5.com/api/irules/Commands.html

    You can read more about irules here:

    https://community.f5.com/t5/technical-articles/getting-started-with-irules-events-amp-priorities/ta-p/290543

     

  • I'm assuming that:

    1- The F5 is performing the SSL negotitation with the client's CAC

    2- You want to transform the ID in the X509 to a HTTP header and pass it along to the backend server which can read it

     

    So you need to capture the X509 information. There is some information about that here:

    https://community.f5.com/t5/technical-forum/forwarding-of-x509-http-header-to-application-after-termination/td-p/100895

    Then you need to add that header into the transaction using the HTTP::header commmand at either the HTTP_REQUEST or HTTP_REQUEST_RELEASE event. I prefer the latter because it always happens right before we send the request to the backend server.

    So a complete irule might look something like this. I used "x-edipi" (custom headers are usually supposed to start with "x-", but that's not a hard rule) for an example, but you'll have to figure out what header the server wants. The F5 doesn't care. A simple test of the header should prevent users from inserting their own header maliciously.

    when CLIENTSSL_HANDSHAKE {
      set subj [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
      set EDIPI [string range $subj [expr [string last "." $subj] +1] end]
      log local0. "CAC Auth: Got EDIPI '$EDIPI'"
    }
    
    when HTTP_REQUEST_RELEASE {
      if { [HTTP::header exists "x-edipi"] } {
        log local0. "CAC Auth: [IP::client_addr] tried to tell us they were [HTTP::header value x-edipi ]! Drop connection."
        reject
      }
      
      if { [info exists EDIPI] } {
        log local0. "CAC Auth: [IP::client_addr] Inserting $EDIPI"
        HTTP::header replace "x-edipi" $EDIPI
      } else {
        log local0. "EDIPI data not found"
      }
    }

    As for the client-ssl attached to the virtual, make sure you set the user-auth to "require" (we drop connection if you don't pass the CAC auth) and your allowed-CAs to the proper ones for your CACs.

    • Maudigan's avatar
      Maudigan
      Icon for Altocumulus rankAltocumulus

      Lucas, thanks for the detailed response. Your assumptions are correct. I had seen that post you linked when I was searching and had dismissed it as unrelated to what I was looking for for. I had been lead to believe that the process you just described was sort of automatic, that simply by being in the F5 and using HTTPS that the x509 info would automatically be inserted into the HTTP request header and forwarded to the server.

      I thought I was just missing the finer details, but I apparently really am missing the overarching architecture of how this will work! I think the important take away from your code is that I can name the EDIPI whatever I want in the request header. That's enough to let me start writing my PHP. So thanks! 

      I think I followed your code fine, but am entirely unfamiliar with the syntax/language. Am I right to assume that my server admins will have access to an F5 console where I'd have to get them to setup rules for how we want our connections to be managed, and the script your provided is an example of one of those handling rules?