Some basic iRule questions

Question

&nbsp; I am a little new to irules so I could get some advice I would appriciate it. 
&nbsp;  
&nbsp; I have traffic moving through an F5 LTM and it uses client side authentication. 
&nbsp;  
&nbsp; There is an I rule configured that works as follows 
&nbsp; This is existing and seems to work - the idea is to put the cert subject dn into an http header - 
&nbsp;  
&nbsp;  
&nbsp; when CLIENTSSL_CLIENTCERT { 
&nbsp;  
&nbsp; set subject_dn [X509::subject [SSL::cert 0]] 
&nbsp;  
&nbsp; } 
&nbsp; when HTTP_REQUEST { 
&nbsp;  
&nbsp;  Insert user header 
&nbsp; HTTP::header insert user $subject_dn 
&nbsp;  
&nbsp; set names [HTTP::header names] 
&nbsp; foreach name $names { 
&nbsp; set val [HTTP::header value $name] 
&nbsp; log local0. "    $name: $val" 
&nbsp; }  
&nbsp; } 
&nbsp;  
&nbsp; I would like to do two additonal steps 
&nbsp;  
&nbsp; 1. Redirect the request to a new URI IF the URL matches a pattern for example  
&nbsp;  
&nbsp; 2. Put the origninal URL and URI in a second head which for the sake of discussion I will call mytarget. 
&nbsp;  
&nbsp;  
&nbsp; so essentially I am trying to modify the above rule too do the following 
&nbsp;  
&nbsp; if the users goes to *.example.com/ AND the $subject_dn is populated 
&nbsp;  
&nbsp; send them store *.example.com/ in a header and redirect them to the same *.example.com/redirect 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;

hooleylist · Answer

What are you trying to accomplish with the changes to the iRule? 
&nbsp;  
&nbsp; If the application (or LTM) sets an arbitrary HTTP header in a response, the client will not include that same header in a subsequent request.  You could try setting a cookie with the subject DN as the cookie value.  The client would automatically include the cookie in requests assuming they support cookies.  But a malicious client could modify the cookie value.  So you could encrypt the cookie value in responses and decrypt it on requests.  Another option would be to store the cert information in the session table, using the session command (Click here).  There are examples of this in the Codeshare: 
&nbsp;  
&nbsp; Insert Cert In Server Headers 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html 
&nbsp;  
&nbsp; Aaron

matt_108491 · Answer

&nbsp; The reason for the aribtrary header is that the redirect sends this request to another proxy which uses both pieces of information. 
&nbsp;  
&nbsp; The Flow is: 
&nbsp;  
&nbsp; (certificate)--&gt;LTM(convert cert info to headers)--&gt;Proxy---&gt;Website 
&nbsp;  
&nbsp; Since LTM is consuming the certificate which the Proxy used to use. relevent information is being stored in a header.  
&nbsp;  
&nbsp; The mytarget header contains the orignial intended URL which the proxy will then pass the user onto. &nbsp;

hooleylist · Answer

I can understand why you'd want to insert the client cert in the headers if the SSL decryption is being moved to the BIG-IP.  But I'm not sure about the URI.  Wouldn't the proxy see the original requested URI?  Or do you want to change this on the BIG-IP and insert the original URI in a header? 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Some basic iRule questions

3 Replies

Recent Discussions

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Related Content

Basic findstr question

iRule - Authorization Bearer / Basic

Getting Started with iRules: Basic Concepts

Implementing basic OAuth with F5 BIG-IP APM

Novice Question - irules