This iRule should be used when the back end server requires to see the client certificate presented to a VIP where SSL is being terminated and client authentication is being enforced. This iRule will do the following:
- Check for existing HTTP Headers such as X-Forwarded-For and ssl.client_cert and remove them
- Grab the client certificate and strip out any spaces or new lines
- Insert the trimmed down client certificate into the HTTP Header ssl.client_cert
- Insert the HTTP Header X-Forwarded-For with the client IP address
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"]} {
HTTP::header remove X-Forwarded-For
}
if { [HTTP::header exists "ssl.client_cert"]} {
HTTP::header remove ssl.client_cert
}
if { [SSL::cert count] > 0 } {
set thecert [findstr [X509::whole [SSL::cert 0]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]
set certnospace [string map -nocase {" " "" \n "" \r ""} $thecert]
HTTP::header insert ssl.client_cert $certnospace
HTTP::header insert X-Forwarded-For [IP::client_addr]
}
}
You may download a text version of the iRule here.
Regards,
BD