L’Irule ci-dessous permet de valider le certificat utiliser pour l’authentification et comparer la valeur du champ username dans la méthode post

when CLIENTSSL_CLIENTCERT {
    set cert [SSL::cert 0]
    set subject_dn [X509::subject [SSL::cert 0]]
    set cSSLSubject [findstr $subject_dn "emailAddress=" 13 ","]
}

when HTTP_REQUEST {
    if {[HTTP::method] eq "POST" && [HTTP::uri] starts_with "/CookieAuth.dll?Logon"}{
        # Trigger collection for up to 1MB of data
        if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
          set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length 1048576
        }
        # Check if $content_length is not set to 0
        if { $content_length > 0} {
          HTTP::collect $content_length
        }
    }
}
when HTTP_REQUEST_DATA {
  if {[HTTP::method] eq "POST" && [HTTP::uri] starts_with "/CookieAuth.dll?Logon"}{            
      set payload [HTTP::payload]
      set username [findstr $payload "username=" 9 "&"]
      log local0. "USERNAME POST = $username"
      log local0. "CERTIFICATE EMAIL = $cSSLSubject "
      
      if { $username equals $cSSLSubject } {
            log local0. "== CERTIFICATE CHECK PASSSED == "
        pool F_securem.extragora.com    
      } else {
        log local0. "== CERTIFICATE CHECK FAILED =="
        reject
      }                
  }
}

simon.melotte

0 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *