Forum Discussion
LyonsG_85618
Aug 12, 2013Cirrostratus
This is better!
when CLIENTSSL_CLIENTCERT {
set debug 0
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection if no cert present
reject
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set ssl_cert [SSL::cert 0]
set subject_dn [X509::subject [SSL::cert 0]]}
set issuer [X509::issuer $ssl_cert]
Check if the certificate contains valid CN
if { ($issuer contains "Origo Root CA - G2M") or ($issuer contains "OSIS Customer CA")} {
Accept the client cert
log "Client Certificate Accepted:$issuer"
} else {
log "No Matching Client Certificate Was Found Using: Cert issuer - [X509::issuer $ssl_cert]"
reject
}
}
Then re-write HOST name
when HTTP_REQUEST {
set requestedhost [string tolower [HTTP::host]]
set requestedURI [HTTP::uri]
set content_length [HTTP::header "Content-Length"]
set method [HTTP::method]
log "ip address=[IP::client_addr] before cookie HTTP method=$method host=$requestedhost uri=$requestedURI payload=[HTTP::payload] content length=$content_length"
if { $requestedhost equals "test1.domain.com"} {
HTTP::header replace Host "test2.newdomain.com"
HTTP::header insert "CIACertHeader" [X509::whole [SSL::cert 0]]
HTTP::cookie insert name "BIGIPCOOKIE" value BIGIPTEST
virtual VIRTUAL_SERVER_HTTPS
log local0. "after cookie cookie host=[HTTP::host] uri=[HTTP::uri] cert[X509::whole [SSL::cert 0]] "
}
}