For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Adrien_Legros_1's avatar
Adrien_Legros_1
Icon for Altostratus rankAltostratus
Dec 19, 2012

APM activation based on URI + http website

Hello,

 

we want to activate APM on a subsite of a public website.

 

Website is:

 

http://www.site.com = public

 

APM protected is http://www.site.com/private

 

I've seen that it was possible to use the Irule instructions ACCESS::enable and ACCESS::disable to do this but when I try it, I always receive an APM error message saying:

 

 

Your session could not be established.

 

BIG-IP can not find session information in the request. This can happen because your browser restarted after an add-on was installed. If this occurred, click the link below to continue. This can also happen because cookies are disabled in your browser. If so, enable cookies in your browser and start a new session. Thank you for using BIG-IP.

 

 

Is it because my VIP is HTTP and not HTTPS? Is APM available for HTTP website? Is the instruction Enable-disable not the best way to do it?

 

 

Thanks for your help.

 

application delivery
dev
devops
iRules

2 Replies

  • AP_129594's avatar
    AP_129594
    Icon for Nimbostratus rankNimbostratus
    Apr 28, 2014

    Yes you would need both client & server ssl profile for your VIP.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 29, 2014

    Well, technically APM can be used for HTTP. I supposed it wouldn't make a lot of sense to require authenticated private access to something that wasn't HTTPS, but it is absolutely possible nonetheless. I thin what you're missing here is the fact that the access policy process does an initial redirect to /my.policy. You could add that to your URI watch list, but then try this:

    when HTTP_REQUEST {
    if { ( [HTTP::cookie exists MRHSession] ) or ( [HTTP::uri] starts_with "/private" ) } {
        return
    } else {
        ACCESS::disable
        return
    }
}

    If the request is for the /private URI or an existing access session token exists, simply return and let APM works its magic. Otherwise, disable APM. All access to the site prior to requesting /private will bypass APM. After accessing /private and passing the access policy authentication, all access to the site will present an access session token. You could optionally use a data group instead of the static /private URI filter if you have multiple URI paths to protect.