Mr_Moody
Oct 30, 2020Nimbostratus
Help with IRule Client Auth Certs
I have an IRule below that I'm working on. My intent is to enforce client certificate authentication on two URI's only and if any client certificate errors should result in a redirect to a custom er...
- Nov 01, 2020
Your HTTP::respond 302 is in the else clause of your second if statement.
It is never reached.
when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} { # This path has no client-authentication return } else { # perform client-authentication if the uri matches if { ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} { SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require set cmd "SSL::profile /Common/require_clientssl" eval $cmd SSL::renegotiate } else { # we cannot execute this path because of the first *if* statement if {[SSL::verify_result] == 0 }{ return } else { HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache } } } }
Try something like
when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} { # we don't need to renegotiate with client-authentication return } else { # we do need to renegotiate with client-authentication SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require set cmd "SSL::profile /Common/require_clientssl" eval $cmd SSL::renegotiate # check if renegotiation with client-auth succeeded if {[SSL::verify_result] == 0 }{ return } else { HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache } } }
but I haven't tested this to check ...