Forum Discussion
youssef1
Apr 04, 2019Cumulonimbus
Hi,
First of configure you ssl client with the following parameters:
- authenticate always
- authenticate depth 9
- cert mode request
- renegotiate
don't forget to set "Trusted Certificate Authorities" and "Advertised Certificate Authorities" with right CA...
Simple Irule for begin:
when CLIENTSSL_CLIENTCERT {
set auth 0
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection
set auth 0
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
set cert [b64encode [SSL::cert 0]]
set auth 1
}
}
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
"app.mydomain.com" {
if {$auth == 0} {
HTTP::respond 403 content "Forbidden" "Content-Type" "text/html" "Connection" "Close"
}
}
"app.mydomain.com" {
if {$auth == 0} {
HTTP::respond 403 content "Forbidden" "Content-Type" "text/html" "Connection" "Close"
}
}
default {
don nothing
}
}
}
You have also this interesting post:
https://devcentral.f5.com/articles/selective-client-cert-authentication
You just have to change URI by Hostname...
regards,