Forum Discussion
Kai_Wilke
Apr 04, 2019MVP
Hi KimiLi,
you may take a look to the iRule below. The iRule utilizes a minimalistic but very effective TCP session state to determine, if a given TCP session needs to become SSL authenticated before granting access to specific HOST or URI value.
If a HTTP request to a protected ressource is received by the
HTTP_REQUEST
event, the iRule will put the ongoing HTTP request on hold, change the Client SSL settings (aka. Client Authentication = Require) of the underlying TCP session and triggers a on-the-fly SSL renegotiation with the changed Client SSL settings. Once the SSL renegotiation is complete, it will relase the ongoing HTTP request from hold and mark the underlying TCP as Client Certificate authenticated.
when CLIENT_ACCEPTED {
Initialize TCP session state as unauthenticated.
set tcp_session_state 0
}
when CLIENTSSL_HANDSHAKE {
Check if TCP session is marked for HTTP request on hold.
if { $tcp_session_state == 1 } then {
Releasing the ongoing HTTP request
HTTP::release
Set TCP session state to authenticated.
set tcp_session_state 2
}
}
when HTTP_REQUEST {
Parse the HOST header value...
switch -exact -- [string tolower [HTTP::host]] {
"secure.domain.de" {
Check if the TCP session is marked as unauthenticated.
if { $tcp_session_state == 0 } then {
Temporary hold the ongoing HTTP request.
HTTP::collect
Set TCP session state to HTTP request on hold.
set tcp_session_state 1
Changing parameters of the underlying TCP connection to SSL client cert = require.
SSL::cert mode require
Forcing renegotiating of the underlying SSL session (/w changed parameters for this TCP connection).
SSL::renegotiate
}
Select the backend pool
pool my_secure_pool
}
"non-secure.domain.de" {
Select the backend pool
pool my_non_secure_pool
}
default {
Select the backend pool
pool my_default_pool
}
}
}
The Client SSL Profile of your Virtual Server, needs to be setup for Client Authentication with the parameter which are best suited for you:
Client Certificate = Ignore (Ignore is important. The iRule will flip this setting as needed to selectively require Client Certificate authentication)
Frequency = Once | Always as you like
Retain Certificate = Enabled | Disabled as you like
Chain Depth = A deep of your choice
Trusted CA = A bundle of trusted CAs
Advertised CA = Most likely the same bundle as above
CRL = Select one as you like
With those settings, the SSL Profile is fully prepared to ask for a SSL Client Certificate Authentication. But it wont ask for a Client certificate until the iRule instructs the individual TCP session to flip the "Client Certificate" setting to "Require".
Cheers, Kai