Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

irule help

Team,

i have one requirement for url based client authentication. like enable client auth only for /app and /app1. no client auth required for any other path

0
Rate this Question
Comments on this Question
Comment made 5 days ago by ka1021 134

Hi Mike,

What kind of authentication you want to perform?

Kaustubh

0
Comment made 4 days ago by mikegray 457

client certificate based authentication

0
Comment made 4 days ago by Pete White

How can that work? You have to have setup an SSL session before being able to send the HTTP request which includes the URI. You either do client auth for all requests or for none.

0
Comment made 4 days ago by mikegray 457
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You could try something like this: https://devcentral.f5.com/questions/switch-off-client-auth-or-switch-ssl-profile-altogether-sslcert-mode-or-sslprofile-

It's also worth noting that this can be very easily achieved, without iRules, using Access Policy Manager (APM).

0
Comments on this Answer
Comment made 4 days ago by mikegray 457

we don't have apm in production

0
Comment made 4 days ago by mikegray 457

Hello Kevin,

Thanks for the update and can we remove the request_send part ? what will happen if the user is not submitting any certificate ?our requirement to protect only specific path , remaining should be plain

0
Comment made 4 days ago by Kevin Stewart

Request_send? You mean HTTP_REQUEST_SEND?

The iRule basically functions the way APM would do it, by establishing a "session" with an authenticated user by virtue of a unique token cookie. This keeps an existing user accessing a privileged URL from getting prompted over and over again. The certificate header information is actually sent in the HTTP_REQUEST_SEND event.

0
Comment made 3 days ago by action_- 85

Hi Kevin,

You mentioned this can all be done in APM. I'm curious to see how that would be done?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Edit: Just realized you said you don't have APM. Woops.

I have a similar use case. I have one VIP that I hang multiple websites off of. When someone goes to a certain URI, it starts and APM session and they log in with their certificate through APM, flow through VPE etc.

My default switch has ACCESS::disable which allows everyone initially. If someone goes to a specific URI, it sets a custom variable, if that variable exists, access is enabled for the remainder of their session.

One thing that I did have to configure the APM VPE at the client cert prompt: if it failed and the http host value was that public site, I had it redirect to the public site homepage so the user didn't get some f5 APM error. I am not sure how to do that in an iRule.

my iRule looks something like this:

when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
    "www.site1.com" {
        pool pool1
        switch -glob [string tolower [HTTP::uri]] {
            "*app" {
                log local0. "inside app uri switch"
                ACCESS::enable
                set uri 1
                ACCESS::session data set session.ssl.custom.cac.uri $uri
            } "*app1*" {
                log local0. "inside app1 uri switch"
                ACCESS::enable
                set uri 1
                ACCESS::session data set session.ssl.custom.cac.uri $uri
            } default {
                log local0. "inside default switch"
                if { [info exists [ACCESS::session data get session.ssl.custom.cac.uri]] } {
                ACCESS::enable
                log local0. "default access exists [ACCESS::session data get session.ssl.custom.cac.uri]"
                } else {
                    ACCESS::disable
                }
            }
        }
    }
    "www.site2.com" {
        pool pool2
        SSL::disable serverside
        ACCESS::disable
    }
}

Not sure if there's anything wrong about doing it this way, or if there's a better way, but it is working for me. Feedback appreciated.

0