NimbostratusIs there a way to terminate SSL for a VS and use client SSL authentication, but only if the are going to anything in /SOAP. So if they request there would be not client SSL authentication required, but if they go to they will be required to authenticate.
MVPHi e0013192,
you may take a look to the iRule below. It changes the SSL settings to require authentication if a specific URI was requested, and then simply pauses the ongoing HTTP request until a SSL re-negotiation has been successfully completed.
when CLIENT_ACCEPTED {
set session_cert 0
}
when CLIENTSSL_HANDSHAKE {
if { $session_cert } then {
if { [SSL::cert count] > 0 } then {
log -noname local0.debug "Client cert is OK; releasing HTTP request."
HTTP::release
set session_cert 0
} else {
log -noname local0.debug "Client cert is not OK; rejecting TCP connection."
reject
}
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/soap" } then {
log -noname local0.debug "Certificate required for: [HTTP::uri]"
if { [SSL::cert count] == 0} {
log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..."
set session_cert 1
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
Note: You have to configure the "Trusted CA" and "Advertises CA" settings in your Client SSL Profile, but leave the "Client Certificate" setting to "Ignore". This will be controlled by this iRule.
Cheers, Kai