Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jan 31, 2022
Solved

request logging profile want to log client certificate details

Hi

 

I am setting a requets logging profile and I want to log the client certificate that was associated with the request that comes through.

 

I have a irule that adds it as a header to pool, but that doesn't seems to be available in the request portition and the backend server doesn't send it back

 

how can I access client cert information in request-log

 

  • Seems like there is an enginerring request to get client cert info  into requet-log.

    So for now, I have to rewrite as a irule

     

3 Replies

  • can you sanitize what you have with your logging profile and iRule and post where you are?

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      tmsh create ltm profile request-log ybrequest-log-20220126
      tmsh modify ltm profile request-log ybrequest-log-20220126 app-service none defaults-from ybrequest-log \
      #
      #request-log-template '$BIGIP_HOSTNAME , $VIRTUAL_NAME , "$\{Host\}",RQ,$CLIENT_IP,$CLIENT_PORT,$DATE_NCSA,$HTTP_METHOD,$HTTP_URI,$HTTP_VERSION,\"${User-agent}\",\"${X-Forwarded-SSL-cert-subject}\","$\{YBID\}","$\{ybmethod\}","$\{DEBTSTHREAD\}"' \
      #response-log-template '$BIGIP_HOSTNAME , $VIRTUAL_NAME , "$\{Host\}",RS,$CLIENT_IP,$CLIENT_PORT,$DATE_NCSA,$HTTP_METHOD,$HTTP_URI,$HTTP_VERSION,\"${User-agent}\",\"${X-Forwarded-SSL-cert-subject}\","$\{YBID\}","$\{ybmethod\}","$\{DEBTSTHREAD\}",$VIRTUAL_POOL_NAME,$SERVER_IP,$SERVER_PORT,$SNAT_IP,$SNAT_PORT,$HTTP_STATCODE,$RESPONSE_SIZE,$RESPONSE_MSECS,"$\{X-time\}"'
      #

       

      is the header added by the irule

      X-Forwarded-SSL-cert-subject

       

      the irule looks something like 

      set certsubject [X509::subject $cert]
      HTTP::header insert X-Forwarded-SSL-DN $certsubject

       

      Not sure why thus makes a difference. The general question is how to log client cert info in request-log 

       

       

      • AlexS_yb's avatar
        AlexS_yb
        Icon for Cirrocumulus rankCirrocumulus

        Seems like there is an enginerring request to get client cert info  into requet-log.

        So for now, I have to rewrite as a irule