OCSP HTTP Header Specification/Example or field name of EDIPI?
Our application identifies users by the EDIPI passed in header. I'm coding this without having access at the moment so im relying heavily on documentation instead of trial and error; I can't find documentation.
From what I understand, the cert information will just be available to me in the header, and I can trust it. So I should just grab their EDIPI and check my user tables to see who is associated with that EDIP then I mark them as logged in. (Side question, do I need to check their revoked status? Does a revoked cert still get forwarded to our application or are they redirected by F5?)
I'm using PHP to check the headers. I already know how to get the header information and grab values from it. What I don't know is what the EDIPI key/index is. I can't find documentation or examples of the headers.
I've have however found the GCDS documentation and an example dump of the headers. In that case of GCDS, the EDIPI key is 'cert-edipi'. Is that a standard naming convention that would be the same for F5?
If anyone can point me to an example of an HTTP header, or better-yet the documentation of the fields and their definitions that would be super helpful. If lieu of that, what's the name of the EDIPI field in the HTTP header?
Lucas, thanks for the detailed response. Your assumptions are correct. I had seen that post you linked when I was searching and had dismissed it as unrelated to what I was looking for for. I had been lead to believe that the process you just described was sort of automatic, that simply by being in the F5 and using HTTPS that the x509 info would automatically be inserted into the HTTP request header and forwarded to the server.
I thought I was just missing the finer details, but I apparently really am missing the overarching architecture of how this will work! I think the important take away from your code is that I can name the EDIPI whatever I want in the request header. That's enough to let me start writing my PHP. So thanks!
I think I followed your code fine, but am entirely unfamiliar with the syntax/language. Am I right to assume that my server admins will have access to an F5 console where I'd have to get them to setup rules for how we want our connections to be managed, and the script your provided is an example of one of those handling rules?
Great! sounds like you're on the right track.
The language that BIG-IPs use for network programmability is a flavor of TCL called "iRules". In a nutshell, you write code blocks like "When this event happens, do these commands", then you attach that code to a virtual server. iRules support passing data between events using variables. In this way, almost any conceivable use case or data translation is possible.
Events: https://clouddocs.f5.com/api/irules/Events.html
Commands: https://clouddocs.f5.com/api/irules/Commands.html
You can read more about irules here: