How to require SSL certificate for a single host header

Question

Hope some one can help.  
&nbsp;  
&nbsp; What we have to day is a single VIP with the SSL Client profile certificate set to ignore. The current i-rule handles three host headers. Moving forward we want to require the client certificate on example1 and example2 host headers and leave example3 at ignore. 
&nbsp;  
&nbsp; Here is the current i-rule. 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;    if { ( [string tolower [HTTPS::host]] contains "example1.com"  ) }  {  
&nbsp;         pool  example1  
&nbsp;         } elseif { ( [string tolower [HTTPS::host]] contains "example2.com"  ) }  {  
&nbsp;         pool example2 
&nbsp;         } elseif { ( [string tolower [HTTPS::host]] contains "example3.com"  ) }  { 
&nbsp;         pool example3 
&nbsp;         } 
&nbsp;    else { discard } 
&nbsp; }

dennypayne · Answer

The example in the wiki for SSL::renegotiate looks like it has similar logic to what you'd need.  (Click here) 
&nbsp;    
&nbsp;  Denny

colin_walker_12 · Answer

To change profile options in an iRule you're going to have to swap between profiles.  Denny's suggestion is a good one, check out the renegotiate command. 
&nbsp;  
&nbsp; Colin

Forum Discussion

How to require SSL certificate for a single host header

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Reminder: MFA now required to log in to DevCentral

CNAME redirection to GTM certificate SAN requirement

Re: Management Certificate

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

F5 BIG-IP Sizing Requirement