Forum Discussion

Nimbostratus

Feb 24, 2016

SSL Profile for URI

Hi all, My case 1- We have a virtual server that meets SSL requests (443) without requirir client certificate for connection; 2- Now we need to set up this Virtual Server uri one that start...

MVP

Feb 24, 2016

Hi WagnerFS,

you may try the code below as a starting point...

when CLIENTSSL_CLIENTCERT { 
    if { [SSL::cert count] > 0 } { 
        log -noname local0.debug "Client cert is OK; releasing HTTP request." 
        HTTP::release 
    }
}
when HTTP_REQUEST {
    if { [string tolower [[HTTP::uri]] starts_with "/context" } then {
        log -noname local0.debug "Certificate required for: [HTTP::uri]" 
        if { [SSL::cert count] == 0} { 
            log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
            HTTP::collect 
            SSL::authenticate always 
            SSL::authenticate depth 9 
            SSL::cert mode require 
            SSL::renegotiate 
        }
    }
}

Note: Tweak your Client SSL Profile so that it trust and avertises just the desired CA chain.

Cheers, Kai

Forum Discussion

SSL Profile for URI

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

SSL Profiles

SSL Profiles Part 5: SSL Options

SSL Profiles Part 8: Client Authentication

Modify SSL profiles via REST API

SSL Profiles Part 7: Server Name Indication