Forum Discussion

tdaish's avatar
tdaish
Icon for Altostratus rankAltostratus
Aug 15, 2023
Solved

APM AdAuth HTTP Header Insert iRule Switch Statement

Hi folks, first forum post here, looking for a hand with iRules! 

Currently when a user connects from their PC to the Virtual Server, as part of the Access Policy they are presented with an Logon Page, which authenticates with AD Auth, and upon successful authentication, the traffic is passed and a header is inserted with their username via an iRule. This HTTP header is required for the backend service to work. It uses the following iRule to apply this:

 

 

when ACCESS_ACL_ALLOWED
{
     HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"]
}

 

 

We have two other devices that want to access this virtual server but do not need the username header to be inserted, as it is already present, so would like to pass these devices straight through without applying the header again, based on their source IPs. This is what I've come up with:

 

 

when ACCESS_ACL_ALLOWED
{
     switch [IP::cliemt_addr]{
          "10.0.0.1" -
          "10.0.0.2" { //do nothing }
     default {
          HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
     }
}

 

 

 I am not well versed with iRules, but believe this should work, but would like some confirmation/advise if something better can be done! Thanks in advance.

application delivery
  • PeteWhite's avatar
    PeteWhite
    Aug 17, 2023

    As Jason said, there are many ways to do this and your method looks fine.  But note your typo in IP::client_addr. And it is good practise to use -- to terminate switch options.

    You could also do this by checking whether the header already exists

    when ACCESS_ACL_ALLOWED
{
     if { ! [HTTP::header exists iv-user] } {
          HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
     }
}

     

  • tdaish's avatar
    tdaish
    Aug 21, 2023

    Doh! My bad, thanks for that. I did find that the F5 does not like:

    // do nothing

     within those braces, so I have omitted the contents and left it as:

    when ACCESS_ACL_ALLOWED
{
     switch -- [IP::client_addr] {
          "10.0.0.1" -
          "10.0.0.2" {}
     default {
          HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
     }
}

    This should be okay right?

8 Replies

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Aug 17, 2023

    As Jason said, there are many ways to do this and your method looks fine.  But note your typo in IP::client_addr. And it is good practise to use -- to terminate switch options.

    You could also do this by checking whether the header already exists

    when ACCESS_ACL_ALLOWED
{
     if { ! [HTTP::header exists iv-user] } {
          HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
     }
}

     

    • tdaish's avatar
      tdaish
      Icon for Altostratus rankAltostratus
      Aug 18, 2023

      Thanks for the response! Yes, that was me fat fingering it here, code I've written up/exists currently does not have that typo. So to clarify your comment on switch termination, it would be as follows then:

      when ACCESS_ACL_ALLOWED
{
     switch [IP::client_addr]{
          "10.0.0.1" -
          "10.0.0.2" -- { //do nothing }
     default {
          HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
     }
}

      I like that code you have provided for checking existing headers, really appreciate the options here.

      • PeteWhite's avatar
        PeteWhite
        Icon for Employee rankEmployee
        Aug 18, 2023

        Hiya, when I mentioned the switch termination i meant this ie the -- after the switch command

        when ACCESS_ACL_ALLOWED
{
     switch -- [IP::client_addr] {
          "10.0.0.1" -
          "10.0.0.2" { //do nothing }
     default {
          HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
     }
}
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 16, 2023

    Hi tdaish, thanks for the question! The switch will work just fine, and sets you up for more client IPs should that be necessary. You could back off to a "not matches_glob" if/else if you wanted to, or progress to a data-group and class statement if exceptions start to hit 20+, but what you have here is sufficient.

    • tdaish's avatar
      tdaish
      Icon for Altostratus rankAltostratus
      Aug 18, 2023

      Thanks for your response! I like this option, something to consider for sure, might combine that with what PeteWhite submitted, to check against inserted headers and source addresses. We only expect to use two IPs, but there is potential for more. I don't think it will ever reach anywhere near 20! Appreciate your help. 🙂

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Aug 21, 2023

    tdaish - When you feel like your post is solved (seems you may have partially solved anyway) please select *Accept As Solution*. You can also choose more than one answer if the Solution progresses over several replies.

    This helps future readers find answers more quickly and confirms the efforts of those who helped.
    Thanks for being part of our community.
    Lief