This iRule should be used when the back end server requires to see the client certificate presented to a VIP where SSL is being terminated and client authentication is being enforced. This iRule will do the following:
- Check for existing HTTP Headers such as X-Forwarded-For and ssl.client_cert and remove them
- Grab the client certificate and strip out any spaces or new lines
- Insert the trimmed down client certificate into the HTTP Header **ssl.client_cert**
- Insert the HTTP Header **X-Forwarded-For** with the client IP address
when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"]} { HTTP::header remove X-Forwarded-For } if { [HTTP::header exists "ssl.client_cert"]} { HTTP::header remove ssl.client_cert } if { [SSL::cert count] > 0 } { set thecert [findstr [X509::whole [SSL::cert 0]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"] set certnospace [string map -nocase {" " "" \n "" \r ""} $thecert] HTTP::header insert ssl.client_cert $certnospace HTTP::header insert X-Forwarded-For [IP::client_addr] } }
You may download a text version of the iRule here.
Regards,
BD