Forum Discussion

WagnerFS_250521's avatar
WagnerFS_250521
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

SSL Profile for URI

Hi all,

 

My case

 

1- We have a virtual server that meets SSL requests (443) without requirir client certificate for connection; 2- Now we need to set up this Virtual Server uri one that starts with "/context" in which the certificate is requirido; 3- This uri requires the profile SSL use the "Trusted Certificate Authorities" from the "Client Authentication";

 

Does anyone have an idea of how to implement

 

Thank you

 

1 Reply

  • Hi WagnerFS,

     

    you may try the code below as a starting point...

     

    when CLIENTSSL_CLIENTCERT { 
        if { [SSL::cert count] > 0 } { 
            log -noname local0.debug "Client cert is OK; releasing HTTP request." 
            HTTP::release 
        }
    }
    when HTTP_REQUEST {
        if { [string tolower [[HTTP::uri]] starts_with "/context" } then {
            log -noname local0.debug "Certificate required for: [HTTP::uri]" 
            if { [SSL::cert count] == 0} { 
                log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
                HTTP::collect 
                SSL::authenticate always 
                SSL::authenticate depth 9 
                SSL::cert mode require 
                SSL::renegotiate 
            }
        }
    }

    Note: Tweak your Client SSL Profile so that it trust and avertises just the desired CA chain.

     

    Cheers, Kai