Any incoming request (not just the initial connection)

Question

One of the software guys has presented the following to me. Any help would be much appreciated!&nbsp;
&nbsp;
"I think part of what might be going on with this is that HTTP 1.1 does not require a new connection with each request. This means that a tcp connection is made, but then there may be multiple request/response pairs that are sent.  If the security subject is only being passed through on the initial connection, then you would get the behavior we are seeing.  (Note that I am trying to guess backwards from symptom to problem…not something I like doing).&nbsp;
What we actually need is for any incoming request (not just the initial connection) the subject header from the certificate needs to be added.&nbsp;
I guess in this direction because Bill is telling me that when he restarts SOAPUI, it will go back to working once for him. This tells me that either:&nbsp;
1.In spite of SOAPUI saying that it is going to close connections after each request…it isn’t.&nbsp;
2. The F5 is doing something overly smart in relation to Bill and his session (unlikely)."&nbsp;
Below is the irule currently assigned to the VIP:&nbsp;
when CLIENTSSL_CLIENTCERT {&nbsp;
        set cert_subject [X509::subject [SSL::cert 0]]&nbsp;
        if { $cert_subject == "" }&nbsp;
               { log "[IP::client_addr]:[TCP::client_port]: No client cert found!"}&nbsp;
    }&nbsp;
when HTTP_REQUEST {&nbsp;
 if { [info exist cert_subject] } {&nbsp;
  HTTP::header insert SSLClientCertSubject $cert_subject&nbsp;
  return&nbsp;
  }&nbsp;
 }&nbsp;

nitass · Answer

i understand HTTP_REQUEST is executed on every request (not only initial one). can you add some log command? 
  
 HTTP_REQUEST event Wiki 
 https://devcentral.f5.com/wiki/iRules.http_request.ashx 
  
 [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      clientssl {
         clientside
      }
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   log local0. "--"
}
when CLIENTSSL_HANDSHAKE {
   log local0. "--"
}
when HTTP_REQUEST {
   log local0. "--"
   log local0. "client [IP::client_addr]:[TCP::client_port] | request [HTTP::uri]"
}
}

[root@ve10:Active] config  cat /var/log/ltm
Oct 27 11:06:28 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:28 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:30 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:30 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /index.html
Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /f5.gif
Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /favicon.ico
Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : --
Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /favicon.ico

riverfish · Answer

Thanks! This will give us more visibility as to what is happening.

hooleylist · Answer

Hi tzemler, 
  
 From 10.1 on, you can use [SSL::cert 0] to get the client cert for the duration of the client's SSL session: 
 https://devcentral.f5.com/wiki/iRules.ssl__cert.ashx

Note: As of 10.1.0, as described in CR116806, the following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate: 
  
     SSL::cert 
     SSL::cert issuer 
     SSL::cert count 
  
 With this change, the system stores the received peer certificate in the SSL session table, so the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event.

Can you try this?

when HTTP_REQUEST {
if { [SSL::cert 0] ne "" and [set cert_subject [X509::subject [SSL::cert 0]]] ne ""} {
HTTP::header insert SSLClientCertSubject $cert_subject
}
}

If you want to validate the client cert chains correctly to the trusted root CA bundle and hasn't expired, see the first example in the SSL::cert wiki page. 
  
 Aaron

Forum Discussion

Any incoming request (not just the initial connection)

3 Replies

Recent Discussions

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Related Content

will the F5 log incoming connections into a log file?

Logging DNS Requests

LTM Pool Connections vs Requests

Distributed caching of authentication requests with NGINX Ingress Controller

Securely connecting Kubernetes Microservices with F5 Distributed Cloud