Solved: Forward client auth with certificate

silver78_1 · ‎01-22-2014

Hi all,

we have a web site reversed on StingRay by a VirtualServer with SSL decryption and pool with SSL encryption, untill now all is easy to deploy.
UserBrowser => SSL Decryption => VirtualServer => SSL Encryption => Pool => nodes

A new feature of our web site implements user authentication with client certificate and here is the problem: is it possible to forward request of client authentication with certificate from back-end to the real user through StingRay and return the response to the back-end server?

Node => ClientCertRequest => Pool => VirtualServer => UserBrowser => ClientCertResponse => VirtualServer => Pool => Node

Regards

Stefano

aclarke · ‎04-22-2014

The only way to achieve this would be to validate the client certificate on the STM, then extract the SSL client certificate information using Traffic Script (details below) that has been validated and pass it in an HTTP header to the back end (ensuring that your traffic script to do this ensures the header is not already present - for security reasons!) .

Your back end application would need to have code to handle the HTTP header and allocate rights accordingly.

In your TrafficScript you would need to use ssl.clientCert() and http.addHeader():

http.addHeader( name, value )

Modifies the current HTTP request, adding an HTTP header with the supplied value. A case-insensitive lookup is first performed in order to find any existing headers. If a match is found, a duplicate header will be added to the message along with the new value.

# Add a host header if it is missing
if( !http.headerExists( "Host" ) ) {
http.addHeader( "Host", "unknown" );
}

ssl.clientCert()

Returns the PEM encoded client certificate, or the empty string if the connection was not SSL-encrypted or if a certificate was not supplied.

# Display the client certificate data
$cert = ssl.clientCert();
log.info( "Certificate: " . $cert );

--
Aidan Clarke
Pulse Secure vADC Product Manager

View solution in original post

aclarke · ‎04-22-2014

The only way to achieve this would be to validate the client certificate on the STM, then extract the SSL client certificate information using Traffic Script (details below) that has been validated and pass it in an HTTP header to the back end (ensuring that your traffic script to do this ensures the header is not already present - for security reasons!) .

Your back end application would need to have code to handle the HTTP header and allocate rights accordingly.

In your TrafficScript you would need to use ssl.clientCert() and http.addHeader():

http.addHeader( name, value )

Modifies the current HTTP request, adding an HTTP header with the supplied value. A case-insensitive lookup is first performed in order to find any existing headers. If a match is found, a duplicate header will be added to the message along with the new value.

# Add a host header if it is missing
if( !http.headerExists( "Host" ) ) {
http.addHeader( "Host", "unknown" );
}

ssl.clientCert()

Returns the PEM encoded client certificate, or the empty string if the connection was not SSL-encrypted or if a certificate was not supplied.

# Display the client certificate data
$cert = ssl.clientCert();
log.info( "Certificate: " . $cert );

--
Aidan Clarke
Pulse Secure vADC Product Manager

silver78_1 · ‎04-23-2014

Hi Aidan,

we were looking for a way to pass through the cert authentication but there's no way to do that.

We already use custom header passing information to our web-app.

Thanks for your the response,

Regards,

Stefano

Forward client auth with certificate

Forward client auth with certificate

Re: Forward client auth with certificate

http.addHeader( name, value )

ssl.clientCert()

Re: Forward client auth with certificate

http.addHeader( name, value )

ssl.clientCert()

Re: Forward client auth with certificate