Forum Discussion

Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Mar 26, 2010

irule to select SSL client cert based on HTTP header

I've wrote a simple irule that forwards requests to a relevent pool based on the contents of the HTTP header.

This works fine for HTTP requests however I'd like to ammend it so that in addition to forwarding to the correct pool, it also selects the correct SSL client profile.

This is the irule I have for the http requests 

when HTTP_REQUEST { 
 if {[HTTP::header "host"] contains {abc}} { 
 pool abc-pool 
    } 
 else{pool xyz-pool} 
 }

Any help would be appreciated.

Thanks
application delivery
dev
devops
iRules

5 Replies

Sort By
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 26, 2010
    The trick here is that by the time you're able to get at the HTTP header information, your SSL session has already been established. As of now, I don't know of a good way to do this. How many ssl profiles are you looking to switch on?

     

     

    -Matt
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 26, 2010
    As Matt suggested, there isn't a way to select the client side SSL profile based on HTTP information with current browsers. See this post for some options:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=56508&ptarget=56509

     

     

    Aaron
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Mar 26, 2010
    Hmm.. that’s annoying!

     

    Would it be possible to forward to request to another VIP using the same IP but on a different port?

     

    All I'm trying to achieve is to reduce the number of public IP addresses we’re using.

     

     

    Thanks

     

    Lee
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 29, 2010
    Hi Lee,

     

     

    It's a limitation of what's currently implemented in browsers for SSL that you need one IP per cert. You could use a separate port, but then clients and apps would need to reference the site with that port in the URL. You couldn't use an iRule to select that port until the iRule had decrypted the SSL to see which hostname had been requested.

     

     

    Aaron