Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Client Auth + Pool Base URI

Hi today i have a VS with client cert request form client side profile i have a pool with 7 members and attached irule to VS :

when CLIENTSSL_CLIENTCERT {
 set cert [b64encode [SSL::cert 0]]
 }

when HTTP_REQUEST {
if { [info exists cert]  } {
if { [ class mutch [string tolower [HTTP]] start_with dg_urls] } {
HTTP::header insert Certificate "$cert"
}
}

in the datagroup i have url "/app1" and "/app2" now I need do when some go to "/app1" in http request go to other pool and i create this irule

when CLIENTSSL_CLIENTCERT {
 set cert [b64encode [SSL::cert 0]]
 }

when HTTP_REQUEST {
if { [info exists cert]  } {
if { [ class mutch [string tolower [HTTP]] start_with dg_urls] } {
HTTP::header insert Certificate "$cert"
}
if { [string tolower [HTTP::uri]] starts_with "/app1" } {
    pool app1
}
}
}

now all its work but in Network Map i not see that this pool app1 is attach to VS i know when we do that on LTM policy i can see to pool attached to VS but i can do it in policy i need that if client go to /APP1 insert $cert header to webserver and fowerding a pool

Can I do this in any way for see the app1 pool also in "network map" ? If no can I do any way that irule be more effective ?

0
Rate this Question
Comments on this Question
Comment made 5 months ago by Kevin Stewart

If you're making pool selections in an iRule, these relationships aren't going to show up in the network map. You could minimally attach any pool to the VIP, and then override it in the iRule.

On the behavior of the iRule, a few questions.

  • There's no else condition for '[info exists cert]'. What happens if cert doesn't exist?
  • There's no else condition for the class match. What happens if the URI is not in the data group?
  • There's no else condition for the pool selection. What happens if the URI doesn't start with '/app1'?
0
Comment made 5 months ago by igorzhuk 69

There's no else condition for '[info exists cert]'. What happens if cert doesn't exist? drop There's no else condition for the class match. What happens if the URI is not in the data group? not insert a cert header There's no else condition for the pool selection. What happens if the URI doesn't start with '/app1'? go to default port in vs now all work fine

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You can use both, Irule for built and forward the header then a LTM Policy to Manage Pool.

could you do that or you have constraints?

Regars

0
Comments on this Answer
Comment made 5 months ago by igorzhuk 69

Hi, Youssef i create a IRULE for all and all is work but i don't see to pool's at network map we can see 2 pools for VS only if i create from LTM policy ok i stay on this

my irule is ok ?

0
Comment made 5 months ago by youssef 3608

For the irule you can try this:

when CLIENTSSL_CLIENTCERT {

# Check if client provided a cert
if {[SSL::cert 0] eq ""}{
    # Reset the connection
    reject
    return
} else {
    #Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
    set subject_dn [X509::subject [SSL::cert 0]]
    log "Client Certificate Received: $subject_dn"

    set cert [b64encode [SSL::cert 0]]
   }
}



when HTTP_REQUEST {

switch -glob [string tolower [HTTP::path]] {
    "/app1*" {
        log local0. "Matched pool app1 paths for [HTTP::uri]"
        pool app1
    }
    "/app2*" {
        log local0. "Matched pool app2 paths for [HTTP::uri]"
        pool app2
    }
    default {
        log local0. "Hit default for [HTTP::uri]"
        pool pool_default
    }
}

if { [HTTP::header exists "Certificate"] } {
    HTTP::header replace Certificate "$cert"
} else {
    HTTP::header insert Certificate "$cert"
}

}

You can noticed that if the user don't have an cert auth it will be rejected before event HTTP_REQUEST will be processed.

you can confirm that this is what you want or you still want to let the user reach the backend even if he has no certificate. explain clearly what you want so that we can help you better.

regards

0
Comment made 5 months ago by igorzhuk 69

if the client not have a cert he can't connect to VIP (Only Client with cert allowed ) and in same URLS (urls in data group) need provide the base64 of cert ($cert) and insert "at certificate" header

and also if user go to url: /app1 go to pool a if user go to url: /app2 go to pool b

0