L’Irule ci-dessous permet de valider le certificat utiliser pour l’authentification et comparer la valeur du champ username dans la méthode post
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set subject_dn [X509::subject [SSL::cert 0]]
set cSSLSubject [findstr $subject_dn "emailAddress=" 13 ","]
}
when HTTP_REQUEST {
if {[HTTP::method] eq "POST" && [HTTP::uri] starts_with "/CookieAuth.dll?Logon"}{
# Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
if {[HTTP::method] eq "POST" && [HTTP::uri] starts_with "/CookieAuth.dll?Logon"}{
set payload [HTTP::payload]
set username [findstr $payload "username=" 9 "&"]
log local0. "USERNAME POST = $username"
log local0. "CERTIFICATE EMAIL = $cSSLSubject "
if { $username equals $cSSLSubject } {
log local0. "== CERTIFICATE CHECK PASSSED == "
pool F_securem.extragora.com
} else {
log local0. "== CERTIFICATE CHECK FAILED =="
reject
}
}
}