Forum Discussion
APM ACL what is source for IP evaluated
Hi,
I am struggling with figuring out what is base for IP evaluated by for example Static ACL in APM. As far as understand ACL object in VPE are only evaluated during Access Policy processing (between ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED) but using ACCESS_ACL_ALLOWED (or denied) I can use ACCESS::acl eval to doper request ACLs. Question is what is used as src and dst IP for ACL evaluation? Is that one of Access Policy variable or actual IPs based on flow? I am asking because I would like to create ACL for forward proxy VS - in this case I can see client IP as src IP but dst IP is VS IP not target server IP (proxy is doing DNS on HTTP proxy request URI - like GET http://www.site.com/something/index.html HTTP/1.1) so in L3/L4 there is no real dst IP known. My idea was to use host from HTTP proxy URI ( do DNSresolveand pass it to access session variable so ACL can use it to evaluate - but not knowing if evaluation is based on session variables makes me wonder if this will work?
Piotr
- Lucas_Thompson_Historic F5 Account
ACLs can operate on Network Access or App Tunnel or LTM+APM or Portal Access mode. Some of these modes have a soure/dest IP and sometimes it's not really relevant.
ACL evaluation comes after ACCESS_POLICY_COMPLETED. Between ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED, iRule flows actually are triggered from Client -> APM Renderer, so the source/dest won't make a lot of sense there. After the Access Policy is done, and the session is in "Allow" state, then all assigned ACLs are processed as normal.
What exactly are you trying to ACL? It's pretty flexible, there should be no need to come up with any funny tricks like DNS lookups, etc.
- Lucas_Thompson_Historic F5 Account
ACLs can operate on Network Access or App Tunnel or LTM+APM or Portal Access mode. Some of these modes have a soure/dest IP and sometimes it's not really relevant.
ACL evaluation comes after ACCESS_POLICY_COMPLETED. Between ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED, iRule flows actually are triggered from Client -> APM Renderer, so the source/dest won't make a lot of sense there. After the Access Policy is done, and the session is in "Allow" state, then all assigned ACLs are processed as normal.
What exactly are you trying to ACL? It's pretty flexible, there should be no need to come up with any funny tricks like DNS lookups, etc.
- dragonflymrCirrostratus
Well, I tried to set for example Static ACL object in VPE based on dst IP of host in Internet (I am talking about SWG-Explicit type Access Profile). Any IPs set as dst in ACL are ignored - quite logical as info about target host is actually inside HTTP in Method line (as in my original post it's like GET http://www.site.com/something/index.html HTTP/1.1). At the L4 level connection looks like that client IP:port -> VS IP:port (this VS is working as explicit proxy). If I set src IP in ACL it's evaluated correctly - given client IP is blocked or allowed.
So again problem is with enforcing real dst of proxy request - not known at L4 level. I as well would like to do that not only when Access Policy is processed but for each request - as far as I know it's only possible using ACCESS_ACL_ALLOWED - this is only iRule event fired for each request after policy was evaluated - using ACCESS::acl eval.
Based on my test ACLs in Access Policy are not working per request (opposite to how Per-Request Policy - this is working for each request - but I am not aware of any iRule event fired by Per-Request Policy :-().
To be honest my setup is a bit not standard. I am actually using VS with standard http profile (reverse-proxy not explicit type).
This is another approach to proxy chaining - I need to pass request to upstream explicit proxy. I already tried approach with HTTP::proxy disable for VS with HTTP profile type explicit but now I would like to try opposite approach. But ACLs in this case are ignoring real destination IP. That's why I wonder if any Access Session variable is used for ACL evaluation - if so I could just do DNS resolve per request and update session variable used for ACL evaluation.
Of course maybe it's dead end and there is better way?
Ultimate goal is to create L4 rules (like AFM) that are working for proxy type HTTP requests. In this case AFM rules can only see client IP but not real destination IP - this is explicit proxy VS IP.
So I wonder if using APM ACLs could be solution?
Piotr
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com