Hello Chris,
Actually there are Two iRules. To explain the context, in my case i have several URIs that for each of them have a diffrent web service and protected by different WDSL. I need to restrict the access to those Web Service specially based on the client certificate.
On the SSL Client Profile i filter the connection on a specific public AC. Then with the first iRule based on the serial of client certificate, i let the connection go on if it match the serial on the DataGroup. I also create a specific header to pass the client certificate serial. I will use again this header in the second iRule.
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sn [X509::serial_number $cert]
set subject [X509::subject $cert]
set issuer [X509::issuer $cert]
set version [X509::version $cert]
}
when HTTP_REQUEST {
HTTP::header insert NSClientCert [X509::serial_number $cert]
if { ([matchclass $sn contains SSL_CLIENT])} {
Accept the client cert
log local0. "Client Certificate Accepted: $sn"
} else {
log local0. "No Matching Client Certificate Was Found Using: $sn"
reject
}
}
The second iRule filter the URI based again on the serial of the client certificate. One client may or may not be allowed to one or more Web Service. There are also DataGroup created to match the client certificate serial for each Web Service on which client are authorised to access or not.
when HTTP_REQUEST {
set ClientCertSerial [HTTP::header value NSClientCert]"
switch -glob [string tolower [HTTP::uri]] {
"/foo/*" {
if { ([matchclass $ClientCertSerial contains SSL_CLIENT_FOO]) } {
HTTP::uri [string map {"/foo/" "/"} [HTTP::uri]]
pool FOO
}
}
"/bar/*" {
if { ([matchclass $ClientCertSerial contains SSL_CLIENT_BAR]) } {
HTTP::uri [string map {"/bar/" "/"} [HTTP::uri]]
pool BAR
}
}
default {
log local0. "--> default : [HTTP::uri]"
}
}
}
I realize that there might be an easiest way to do it but well, it works like this 🙂
Nimbostratus
