Here's one that illustrates how to use the "session" command in conjunction with SSL certificate information to allow passing of information to backend webservers.

As above, I want to deliver ssl cert serial number to http server behind BIG-IP, and redirect the users who has no cert to an error page at same time.

After a bit of coaching by unRuleY and Colin, here's what came out.

when CLIENTSSL_CLIENTCERT {
  set ssl_stuff [list anything1 anything2]
  set ssl_cert [SSL::cert 0]
  set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
  lset ssl_stuff 0 $ssl_cert
  lset ssl_stuff 1 $ssl_errstr
  session add ssl [SSL::sessionid] $ssl_stuff 180
}

when HTTP_REQUEST {
  set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
  set ssl_cert2 [lindex $ssl_stuff2 0]
  set ssl_errstr2 [lindex $ssl_stuff2 1]
  if { $ssl_errstr2 eq "ok" } {
    HTTP::header insert SSLClientCertStatus $ssl_errstr2
    HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
  } else {
    HTTP::redirect http://192.168.0.64/error.html
  }
}

Click here for the forum thread.

-Joe

 

[Listening to: Notes...- Prima Donna - Original Soundtrack - The Phantom Of The Opera (1986 Original London Cast) (10:55)]