Forum Discussion

eric_156978's avatar
eric_156978
Icon for Cirrus rankCirrus
Apr 06, 2015

Virtual Server Routing with Client Cert

Hi,

I have a sort of "catch all" virtual server with no access policy, terminating SSL, and an irule that routes requests to the correct virtual server based on the hostname.

The target virtual servers all have an access policy starting with "On Demand Cert Auth" and then continues through some authentication logic.

The problem I'm running into is that the "On Demand Cert Auth" is being executed but is going straight to deny and never prompting for a certificate. I have it set to "request".

I'm curious if this is even possible or if anyone has tried to implement something like this. The goal being I don't want to setup a separate virtual server and access policies for every site I have, as they would be identical and I would have to maintain each copy of them which would lead to discrepancies.

The catch all irule looks like this:

when HTTP_REQUEST {
    switch [HTTP::host] {
        "anon1.mysite.com" -
        "anon2.mysite.com"
        {
            log local0. "Sending [HTTP::host] to anonymous"
            virtual anonymous
        }

        "reporting.mysite.com"
        {
            log local0. "Sending [HTTP::host] to reporting"
            virtual reporting
        }

        default
        {
            log local0. "Sending [HTTP::host] to kerberos"
            virtual kerberos
        }
    }
}

Thanks!

APM
application delivery
deployment
devops
iRules
security

2 Replies

Sort By
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Apr 06, 2015

    I haven't set it up so I am not sure if it is possible. My guess is it has to do with the original "catch-all" VS clientssl profile. What do you have configured for the clientssl profile?

     

    What you could do is instead of reselecting the virtual is a redirect. For example of they hit report.mysite.com you could redirect to "report-ap.mysite.com" which would start a new connection on that VS with the correct client sslprofile attached. If they request anon1.mysite.com you could redirect to anon-ap.mysite.com or something similar so you can reuse the same Access Profile for multiple hostnames.

     

    Seth

     

  • eric_156978's avatar
    eric_156978
    Icon for Cirrus rankCirrus
    May 06, 2015

    I ended up finding a decent solution to this problem myself.

    Instead of using multiple virtual servers with multiple access policies, I consolidated everything down to one access policy and one virtual server.

    The access policy's first step is to look at the requested hostname and branch off into the correct validation:

    Advanced anonymous branch rule:
expr { 
       [mcget {session.server.network.name}] eq "anon1.mysite.com"
    || [mcget {session.server.network.name}] eq "anon2.mysite.com"
}

Advanced reporting branch rule:
expr { 
       [mcget {session.server.network.name}] eq "reporting.mysite.com"
}
...

    Having the access policy validate the policy based on the hostname allows me to have a catch all style validation with a single virtual server.

    Hope this helps someone else!