iRules: Insert client certificate into HTTP Header

This iRule should be used when the back end server requires to see the client certificate presented to a VIP where SSL is being terminated and client authentication is being enforced. This iRule will do the following:

  • Check for existing HTTP Headers such as X-Forwarded-For and ssl.client_cert and remove them
  • Grab the client certificate and strip out any spaces or new lines
  • Insert the trimmed down client certificate into the HTTP Header ssl.client_cert
  • Insert the HTTP Header X-Forwarded-For with the client IP address
when HTTP_REQUEST {
	if { [HTTP::header exists "X-Forwarded-For"]} {
		HTTP::header remove X-Forwarded-For
		}
	if { [HTTP::header exists "ssl.client_cert"]} {
		HTTP::header remove ssl.client_cert
		}
	if { [SSL::cert count] > 0 } {
		set thecert [findstr [X509::whole [SSL::cert 0]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]
		set certnospace [string map -nocase {" " "" \n "" \r ""} $thecert] 						  		
		HTTP::header insert ssl.client_cert $certnospace
		HTTP::header insert X-Forwarded-For [IP::client_addr]
	}
}

You may download a text version of the iRule here.

Regards,

BD

Leave a Reply

Your email address will not be published. Required fields are marked *