For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Adrien_Legros_1's avatar
Adrien_Legros_1
Icon for Altostratus rankAltostratus
Dec 19, 2012

APM activation based on URI + http website

Hello,   we want to activate APM on a subsite of a public website.   Website is:   http://www.site.com = public   APM protected is http://www.site.com/private   I've seen that it was p...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 29, 2014

Well, technically APM can be used for HTTP. I supposed it wouldn't make a lot of sense to require authenticated private access to something that wasn't HTTPS, but it is absolutely possible nonetheless. I thin what you're missing here is the fact that the access policy process does an initial redirect to /my.policy. You could add that to your URI watch list, but then try this:

when HTTP_REQUEST {
    if { ( [HTTP::cookie exists MRHSession] ) or ( [HTTP::uri] starts_with "/private" ) } {
        return
    } else {
        ACCESS::disable
        return
    }
}

If the request is for the /private URI or an existing access session token exists, simply return and let APM works its magic. Otherwise, disable APM. All access to the site prior to requesting /private will bypass APM. After accessing /private and passing the access policy authentication, all access to the site will present an access session token. You could optionally use a data group instead of the static /private URI filter if you have multiple URI paths to protect.