Ok... I think this is it.
when ACCESS_ACL_ALLOWED {
set var_issuer [ACCESS::session data get session.ssl.cert.issuer]
set var_subject [ACCESS::session data get session.ssl.cert.subject]
set var_upn [ACCESS::session data get session.custom.cert.upn]
set var_email [ACCESS::session data get session.custom.cert.email]
HTTP::header insert "X-F5-Forwarded-For" [IP::client_addr]
log local0. "X-F5-Forwarded-For [IP::client_addr]"
HTTP::header insert "X-F5-Session-ID" [ACCESS::session sid]
log local0. "X-F5-Session-ID [ACCESS::session sid]"
HTTP::header insert "X-F5-Session-Start" [ACCESS::session data get session.custom.start.time]
log local0. "X-F5-Session-Start [ACCESS::session data get session.custom.start.time]"
if { [info exists var_issuer] && ($var_issuer ne "") } {
HTTP::header insert "X-F5-Cert-Issuer" [ACCESS::session data get session.ssl.cert.issuer]
log local0. "X-F5-Cert-Issuer [ACCESS::session data get session.ssl.cert.issuer]" }
else { return }
if { [info exists var_subject] && ($var_subject ne "") } {
HTTP::header insert "X-F5-Cert-Subject" [ACCESS::session data get session.ssl.cert.subject]
log local0. "X-F5-Cert-Subject [ACCESS::session data get session.ssl.cert.subject]" }
else { return }
if { [info exists var_upn] && ($var_upn ne "") } {
HTTP::header insert "X-F5-Cert-UPN" [ACCESS::session data get session.custom.cert.upn]
log local0. "X-F5-Cert-UPN [ACCESS::session data get session.custom.cert.upn]" }
else { return }
if { [info exists var_email] && ($var_email ne "") } {
HTTP::header insert "X-F5-Cert-Email" [ACCESS::session data get session.custom.cert.email]
log local0. "X-F5-Cert-Email [ACCESS::session data get session.custom.cert.email]" }
else { return }
}