iRule to check Certificate subject and add http few header values
Hi experts,
Our requirements : [We have LTM & APM on the same unit]
a) Application needs to be exposed based on cert authentication to vendors.
b) Cert subject value should be validated to match a predefined value before allowing the vendor
c) if vendor uses API calls which do not handle multiple 302 redirects while using LTM+APM, insert HTTP::header insert “clientless-mode” 1 which solves the problem.
iRule that I composed based on various forums:
when ACCESS_POLICY_COMPLETED{
if {[SSL::cert count] > 0}{
set cert [SSL::cert 0]
set subject [string tolower [X509::subject $cert]]
set clientIP [IP::client_addr]
if { $subject contains “cn=vendor-a.xx.com” }
{
HTTP::header insert X-UPN vendor-a.xx.com
}
elseif { $subject contains “cn=salesforce.xx.com” }{
HTTP::header insert X-UPN salesforce.xx.comm
HTTP::header insert “clientless-mode” 1
} else {
log $clientIP
log local0. “cert CN not valid”
reject
}
}
}
Problem:
API calls from salesforce cant handle multiple 302's from LTM+APM [if i am not wrong, it struggles after three 302s]. Since I use ACCESS_POLICY_COMPLETED, there will be a 302 which cant be avoided.
Questions:
Can I move this logic other than ACCESS_POLICY_COMPLETED?
Is there a better way to handle these requirements?