mikegray_198028
Cirrus
Cirrusirule help
Team,
i have one requirement for url based client authentication. like enable client auth only for /app and /app1. no client auth required for any other path
Forum Discussion
6 Replies
ka1021Altostratus
Hi Mike,
What kind of authentication you want to perform?
Kaustubh
mikegray_198028client certificate based authentication
PeteWhiteEmployee
How can that work? You have to have setup an SSL session before being able to send the HTTP request which includes the URI. You either do client auth for all requests or for none.
- mikegray_198028
iam looking something like this https://devcentral.f5.com/s/articles/selective-client-cert-authentication
 
- Kevin_Stewart
You could try something like this: https://devcentral.f5.com/questions/switch-off-client-auth-or-switch-ssl-profile-altogether-sslcert-mode-or-sslprofile-
It's also worth noting that this can be very easily achieved, without iRules, using Access Policy Manager (APM).
action_-_322447Nimbostratus
Edit: Just realized you said you don't have APM. Woops.
I have a similar use case. I have one VIP that I hang multiple websites off of. When someone goes to a certain URI, it starts and APM session and they log in with their certificate through APM, flow through VPE etc.
My default switch has ACCESS::disable which allows everyone initially. If someone goes to a specific URI, it sets a custom variable, if that variable exists, access is enabled for the remainder of their session.
One thing that I did have to configure the APM VPE at the client cert prompt: if it failed and the http host value was that public site, I had it redirect to the public site homepage so the user didn't get some f5 APM error. I am not sure how to do that in an iRule.
my iRule looks something like this:
when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "www.site1.com" { pool pool1 switch -glob [string tolower [HTTP::uri]] { "*app" { log local0. "inside app uri switch" ACCESS::enable set uri 1 ACCESS::session data set session.ssl.custom.cac.uri $uri } "*app1*" { log local0. "inside app1 uri switch" ACCESS::enable set uri 1 ACCESS::session data set session.ssl.custom.cac.uri $uri } default { log local0. "inside default switch" if { [info exists [ACCESS::session data get session.ssl.custom.cac.uri]] } { ACCESS::enable log local0. "default access exists [ACCESS::session data get session.ssl.custom.cac.uri]" } else { ACCESS::disable } } } } "www.site2.com" { pool pool2 SSL::disable serverside ACCESS::disable } }Not sure if there's anything wrong about doing it this way, or if there's a better way, but it is working for me. Feedback appreciated.
