Forum Discussion
NimbostratusAPM Header Value in Data Group
I'd like to use APM to limit access to specific URIs. We inject user certificate serial numbers into HTTP headers and I'd like to compare this value with a data group. I setup a empty action box with this branch rule:
expr {class match [HTTP::header "S_NUM"] equals WHITELIST }
Here's the result from APM logs:
Rule evaluation failed with error: invalid command name "HTTP::header"
2 Replies
You're trying to use irule commands in the VPE. BIG-IP has two different TCL interpreters. One is in APMD (the VPE one) and one is in TMOS (the iRule one). You can call iRules from the VPE though (but only from a per-session policy, not from a per-request policy):
https://devcentral.f5.com/wiki/iRules.ACCESS_POLICY_AGENT_EVENT.ashxIf you want to run something on each request from the users in LTM+APM or Portal Access mode, use ACCESS_ACL_ALLOWED:
https://devcentral.f5.com/wiki/iRules.ACCESS_ACL_ALLOWED.ashx
Yann_DesmarestCirrus
Hi,
You should define an irule event instead and attach an irule to your Virtual Server. What you are trying to achieve is not permitted under the VPE. You can only use pure TCL scripting.
You can also define an irule that trap this header during the ACCESS_SESSION_STARTED event and save a value in a session variable that you will be able to reuse in the VPE :
when ACCESS_SESSION_STARTED { if { [HTTP::header exists "S_NUM"] and [class match [HTTP::header "S_NUM"] equals WHITELIST] } { ACCESS::session data set "session.custom.snum" 1 } else { ACCESS::session data set "session.custom.snum" 0 } }
