Forum Discussion
APM AdAuth HTTP Header Insert iRule Switch Statement
Hi folks, first forum post here, looking for a hand with iRules!
Currently when a user connects from their PC to the Virtual Server, as part of the Access Policy they are presented with an Logon Page, which authenticates with AD Auth, and upon successful authentication, the traffic is passed and a header is inserted with their username via an iRule. This HTTP header is required for the backend service to work. It uses the following iRule to apply this:
when ACCESS_ACL_ALLOWED
{
HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"]
}
We have two other devices that want to access this virtual server but do not need the username header to be inserted, as it is already present, so would like to pass these devices straight through without applying the header again, based on their source IPs. This is what I've come up with:
when ACCESS_ACL_ALLOWED
{
switch [IP::cliemt_addr]{
"10.0.0.1" -
"10.0.0.2" { //do nothing }
default {
HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
}
}
I am not well versed with iRules, but believe this should work, but would like some confirmation/advise if something better can be done! Thanks in advance.
As Jason said, there are many ways to do this and your method looks fine. But note your typo in IP::client_addr. And it is good practise to use -- to terminate switch options.
You could also do this by checking whether the header already exists
when ACCESS_ACL_ALLOWED { if { ! [HTTP::header exists iv-user] } { HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] } } }
Doh! My bad, thanks for that. I did find that the F5 does not like:
// do nothing
within those braces, so I have omitted the contents and left it as:
when ACCESS_ACL_ALLOWED { switch -- [IP::client_addr] { "10.0.0.1" - "10.0.0.2" {} default { HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] } } }
This should be okay right?
- PeteWhiteEmployee
As Jason said, there are many ways to do this and your method looks fine. But note your typo in IP::client_addr. And it is good practise to use -- to terminate switch options.
You could also do this by checking whether the header already exists
when ACCESS_ACL_ALLOWED { if { ! [HTTP::header exists iv-user] } { HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] } } }
- tdaishAltostratus
Thanks for the response! Yes, that was me fat fingering it here, code I've written up/exists currently does not have that typo. So to clarify your comment on switch termination, it would be as follows then:
when ACCESS_ACL_ALLOWED { switch [IP::client_addr]{ "10.0.0.1" - "10.0.0.2" -- { //do nothing } default { HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] } } }
I like that code you have provided for checking existing headers, really appreciate the options here.
- PeteWhiteEmployee
Hiya, when I mentioned the switch termination i meant this ie the -- after the switch command
when ACCESS_ACL_ALLOWED { switch -- [IP::client_addr] { "10.0.0.1" - "10.0.0.2" { //do nothing } default { HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] } } }
- JRahmAdmin
Hi tdaish, thanks for the question! The switch will work just fine, and sets you up for more client IPs should that be necessary. You could back off to a "not matches_glob" if/else if you wanted to, or progress to a data-group and class statement if exceptions start to hit 20+, but what you have here is sufficient.
- tdaishAltostratus
Thanks for your response! I like this option, something to consider for sure, might combine that with what PeteWhite submitted, to check against inserted headers and source addresses. We only expect to use two IPs, but there is potential for more. I don't think it will ever reach anywhere near 20! Appreciate your help. 🙂
tdaish - When you feel like your post is solved (seems you may have partially solved anyway) please select *Accept As Solution*. You can also choose more than one answer if the Solution progresses over several replies.
This helps future readers find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com