NSX Advanced Load Balancer optionally inserts the client’s certificate, or parts of it, into a new HTTP header to be sent to the server. To insert multiple headers, the plus icon is used. These inserted headers are in addition to any headers added or manipulated by the more granular HTTP policies or DataScripts.
HTTP Header Name: Name of the headers to be inserted into the client request that is sent to the server.
HTTP Header Value: Used with the HTTP Header Name field, this field is used to determine the field of the client certificate to insert into the HTTP header sent to the server. Several options are more general, such as the SSL Cipher, which lists the ciphers negotiated between the client and NSX Advanced Load Balancer. These generic headers may be used for non-client certificate connections by setting the Validation Type to Request.
Using the app profile option to add a header for SSL client cert using HTTP_POLICY_VAR_SSL_CLIENT_RAW code or appending the result of avi.ssl.client_cert(avi.CLIENT_CERT) through DataScript results in an invalid header value containing <0a> <09> as line separators for the PEM-encoded certificate rather than just <09>. This results in a malformed HTTP request going to the server since the <0a> is interpreted as the end of the header value.
L4 SSL/TLS Application Profile
NSX Advanced Load Balancer supports client certificate verification on L4 SSL/TLS applications.
For more information, see Configuring L4 SSL/ TLS Profile.
