Forum Discussion
eric_haupt1
Mar 27, 2019Nimbostratus
Added some additional features: setting a datagroup check based on IP address to bypass APM, and setting the ability to perform user-agent checks to also bypass. We've been leaning on this fairly heavily for months and it works well.
` when HTTP_REQUEST {
set var_uri [HTTP::uri]
set var_apm_cookie [HTTP::cookie value MRHSession]
if { ( [class match [IP::client_addr] equals datagroup-apm-bypass] ) } {
Permanently disable APM for client addresses within datagroup
ACCESS::disable
set var_apm_req 1
return
} elseif { ( [string tolower [HTTP::header "User-Agent"]] contains "*infopath*" ) \
or ( [string tolower [HTTP::header "User-Agent"]] contains "*onenote*" ) } {
Permanently disable APM for these user-agents
ACCESS::disable
set var_apm_req 1
return
} elseif { ( [ACCESS::session exists -state_allow $var_apm_cookie] ) \
or ( [HTTP::uri] starts_with "/my.policy" ) } {
initial redirect to /my.policy (starts access policy evaluation)
set var_apm_req 1
return
} elseif { ( [HTTP::uri] starts_with "/start_policy" ) } {
initial redirect to /start_policy (starts access policy evaluation)
ACCESS::session remove
ACCESS::session create -timeout 1800 -lifetime 0
ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url=" 18]
set var_apm_req 1
return
} else {
APM session disabled until logon process is started
ACCESS::disable
set var_apm_req 0
return
}
}
when ACCESS_SESSION_STARTED {
store the initial (redirect URI) until it's needed
ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url" 18]
}
when HTTP_RESPONSE {
if { ([HTTP::status] eq "401") and ($var_apm_req eq 0) } {
HTTP::respond 302 Location "/start_policy?url=$var_uri"
}
}`