Forum Discussion
Andreia You might try the following iRule but I'm not 100% positive if this is the correct iRule so please do some testing prior to implementing this in production to ensure it is working the way you would expect.
when CLIENT_ACCEPTED priority 500 {
set session_flag 0
}
when CLIENTSSL_HANDSHAKE priority 500 {
if { [SSL::cert count] != 0 } {
log "Client cert is OK; releasing HTTP request."
HTTP::release
}
}
when HTTP_REQUEST priority 500 {
set URI [string tolower [HTTP::uri]]
if { !(${URI} starts_with "/auth") } {
log "Certificate required for: ${URI}"
HTTP::collect
set session_flag 1
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
if { [SSL::cert count] > 0} {
if { [SSL::verify_result] == 0 }{
return
} else {
set error_string [X509::verify_cert_error_string [SSL::verify_result]]
}
} else {
set error_string "No client certificate provided"
HTTP::respond 403 content "<html>Invalid client certificate: ${error_string}</html>"
}
} else {
log "No certificate needed for: ${URI}"
}
}
- AndreiaFeb 15, 2023Cirrus
Hi, Paulius !
Thank you for replying! I pasted the iRule in the test environment and the behavior is the same:
no pop-up window on the browser to select the client certificate. (there's a way to make this pop-up does not appear as happens on nginx with the "ssl_verify_client on" line? OK! I'm sorry I'm overlapping subjects! I will not go on with it right now.)What is leaving me in doubt is because when I do a simple irule, with these same settings in the Profile SSL Client, with the list of certificates selected in the "Trusted Certificate Authorities", it works! But I actually need to handle this URI-related conditional. And if we try to do the opposite: when the request goes to "/auth" it wil turn OFF this client certificate verification? Can you help me with this?
Thanks!
- AndreiaFeb 15, 2023Cirrus
I did the test again on "In Private" mode. Look what logs reported:
Feb 15 10:48:28 err tmm1[16269]: 01220001:3: TCL error: /Common/irule_auth-opin-dev_v2 <HTTP_REQUEST> - can't read "error_strign": no such variable while executing "HTTP::respond 403 content "<html>Invalid client certificate: ${error_strign}</html>""
Feb 15 10:48:28 info tmm6[16269]: 01220002:6: Rule /Common/irule_auth-opin-dev_v2 <HTTP_REQUEST>: Certificate required for: /xyz/abc/customers/management/health
Feb 15 10:48:28 err tmm6[16269]: 01220001:3: TCL error: /Common/irule_auth-opin-dev_v2 <HTTP_REQUEST> - can't read "error_strign": no such variable while executing "HTTP::respond 403 content "<html>Invalid client certificate: ${error_strign}</html>""Can you help?
Thank you!