Forum Discussion

Armando_6406's avatar
Armando_6406
Icon for Nimbostratus rankNimbostratus
Jun 06, 2013

iRule based on Client being authenticated

Hi there:

 

 

I would appreciate any one's knowledge with a simple iRule to be able to filter incoming clients to a particular Data Group of possible uri strings.

 

 

We have a Virtual Server that can be accessed by a number of different external clients each having its own Digital Certificate for SSL authentication.

 

However we want to restrict each client to a set of possible uri strings held in a Data Group.

 

Could anyone provide me or guide me with an iRule where the event declaration is CLIENT_ACCCEPTED or similar and tosomehow obtain the "Issued to" of the SSL certificate can be match to a Data Group.

 

 

Alternatively what is the best and correct way to write an iRule to restrict an incoming HTTP request from a number of possible diffrent clients to a predefined set of uri strings in a Data Group????

 

 

Thanks!

 

2 Replies

  • The first thing you have to consider is complexity and manageability. Do you have lots of users with lots of different URI allowances, with lots of URIs to work with, or is there some limited number of URI "groups" and/or some pattern to the users that present a certificate? For example, if you had 1000 users that had 1000 different combinations of URI allowances, who would want to have to manage that list? The next question is what do you want to do if a user presents a request that they are not allowed to get (based on your data group search)? Would you want to simply reject the connection, redirect them to a sorry page or some other page in the site, or send some static HTML?

     

     

  • Could anyone provide me or guide me with an iRule where the event declaration is CLIENT_ACCCEPTED or similar and tosomehow obtain the "Issued to" of the SSL certificate can be match to a Data Group.starting from 10.1.0, client certificate is automatically cached. so, i think you can check the certificate subject in HTTP_REQUEST.

     

     

    sol11479: If the session iRule command is used to add binary data to the session table, the data will be corrupted (Additional information section)

     

    http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11479.html

     

     

    X509::subject wiki

     

    https://devcentral.f5.com/wiki/iRules.X509__subject.ashx