iRule: insert cert info into HTTP headers

Here's one that illustrates how to use the "session" command in conjunction with SSL certificate information to allow passing of information to backend webservers.

As above, I want to deliver ssl cert serial number to http server behind BIG-IP, and redirect the users who has no cert to an error page at same time.

After a bit of coaching by unRuleY and Colin, here's what came out.

when CLIENTSSL_CLIENTCERT {
  set ssl_stuff [list anything1 anything2]
  set ssl_cert [SSL::cert 0]
  set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
  lset ssl_stuff 0 $ssl_cert
  lset ssl_stuff 1 $ssl_errstr
  session add ssl [SSL::sessionid] $ssl_stuff 180
}

when HTTP_REQUEST {
  set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
  set ssl_cert2 [lindex $ssl_stuff2 0]
  set ssl_errstr2 [lindex $ssl_stuff2 1]
  if { $ssl_errstr2 eq "ok" } {
    HTTP::header insert SSLClientCertStatus $ssl_errstr2
    HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
  } else {
    HTTP::redirect http://192.168.0.64/error.html
  }
}

Click here for the forum thread.

-Joe

 

[Listening to: Notes...- Prima Donna - Original Soundtrack - The Phantom Of The Opera (1986 Original London Cast) (10:55)]
Published Aug 10, 2005
Version 1.0
application delivery
BIG-IP
devops
iRules

Was this article helpful?

No CommentsBe the first to comment