Forum Discussion

MDPF52_180608's avatar
MDPF52_180608
Icon for Nimbostratus rankNimbostratus
Sep 07, 2015

APM HTTP Header injection

Hello DevCentral Community,

I want to ask you if is it possible to inject the HTTP Headers in the server side connection when APM is in place.

Basically, I need to send dynamically from the F5 to the Backend the user AD UPN attribute (when the user is authetnicated on APM with the AD account,) I need also to query the AD in order to extract the user memberships in order to inject a dynamic http header with the AD Group of the user in order to send it to the backend.

when ACCESS_POLICY_AGENT_EVENT {

set timestamp [clock format [clock seconds] -format "%d/%b/%Y %H:%M:%S %z"]
set userprincipalname [ACCESS::session data get "session.ad.last.attr.userPrincipalName"]
HTTP::header insert "userPrincipalName" $userprincipalname
set landing [ACCESS::session data get session.server.landinguri]  
set loginfailures [ACCESS::session data get session.localdb.login_failures]
set Role "undefined"



switch [ACCESS::policy agent_id] {

   "RoleM" { 
                log local0. "RoleA"          
                                              set Role "RoleA"
    }

   "RoleM2"   { 
                log local0. "RoleM"
                                              set Role "RoleB"
    }


when ACCESS_ACL_ALLOWED {

set landing [ACCESS::session data get session.server.landinguri]  
log local0. "Landing URI: $landing"
pool xxxx
}

when ACCESS_POLICY_COMPLETED {
set userPrincipalName [ACCESS::session data get "session.ad.last.attr.userPrincipalName"]
log local0. "UPN detected = $userPrincipalName ACCESS_COMPLETED"

set policy_result [ACCESS::policy result]
HTTP::header insert "userPrincipalName" $userPrincipalName

if { $RoleA == "" } { } else { HTTP::header insert "Rolea" $RoleA }
if { $RoleB == "" } { } else { HTTP::header insert "RoleB" $RoleB }

 switch $policy_result {
   "allow" {
             if { $RoleA == "" } { } else { HTTP::header insert "Rolea" $RoleA }
             if { $RoleB == "" } { } else { HTTP::header insert "RoleB" $RoleB }
            } 
    "deny" {
        Do nothing 
    }

}
}
  • Hi,

    You could you "HTTP_REQUEST_RELEASE" event which fires after APM on the connection to the backend.

    when HTTP_REQUEST_RELEASE {
    
        HTTP::header replace  "userPrincipalName" [ACCESS::session data get session.ad.last.attr.userPrincipalName]
        ... and so on
    }
    

    Regards

    Micha

    • MDPF52_180608's avatar
      MDPF52_180608
      Icon for Nimbostratus rankNimbostratus
      Thank you for your help. I have another problem now, when I try to set the variable assigned dynamically in the ACCESS_POLICY_AGENT_EVENT (each ID of the ACCESS_POLICY_AGENT_EVENT can assign a different value to the variable) in the HTTP_REQUEST_RELEASE there is a TCL Error " can't read "Role": no such variable ". Anyone can suggest me something? Thanks in advance, BR. M.
  • Hi,

    You could you "HTTP_REQUEST_RELEASE" event which fires after APM on the connection to the backend.

    when HTTP_REQUEST_RELEASE {
    
        HTTP::header replace  "userPrincipalName" [ACCESS::session data get session.ad.last.attr.userPrincipalName]
        ... and so on
    }
    

    Regards

    Micha

    • MDPF52_180608's avatar
      MDPF52_180608
      Icon for Nimbostratus rankNimbostratus
      Thank you for your help. I have another problem now, when I try to set the variable assigned dynamically in the ACCESS_POLICY_AGENT_EVENT (each ID of the ACCESS_POLICY_AGENT_EVENT can assign a different value to the variable) in the HTTP_REQUEST_RELEASE there is a TCL Error " can't read "Role": no such variable ". Anyone can suggest me something? Thanks in advance, BR. M.
  • The iRule should do the job. Also, with v12 just released, the ability to insert headers on the fly is part of the per-request policies. Check out v12 documentation for more information.

     

  • Thank you for your help.

     

    I have another problem now, when I try to set the variable assigned dynamically in the ACCESS_POLICY_AGENT_EVENT (each ID of the ACCESS_POLICY_AGENT_EVENT can assign a different value to the variable) in the HTTP_REQUEST_RELEASE there is a TCL Error " can't read "Role": no such variable ". Anyone can suggest me something?

     

    Thanks in advance,

     

    BR.

     

    M.

     

  • I just read it iRule more carefully and I think you might be overcomplicating it.

     

    All you really need for header enrichment/insertion is ACCESS_ACL_ALLOWED event. It fires after access policy has finished executing and thus has access to all access session variables.

     

    ACCESS_POLICY_COMPLETED fires only once per session, not not per request - and I assume you need this inserted in each request - so I suggest you move header insertion logic from that event to ACCESS_ACL_ALLOWED, and you should be good.

     

  • Hi,

    ACCESS_POLICY_COMPLETED and ACCESS_POLICY_AGENT_EVENT only raise during policy evaluation.

    When user is authenticated, the only APM event raised on every requests is ACCESS_ACL_ALLOWED.

    [ACCESS::session data get session.server.landinguri] is the URL that matched first time request and is stored in variable to redirect user after authentication... it will be always the same during the whole session...

    you can try something like that:

    when ACCESS_ACL_ALLOWED {
    set role [ACCESS::session data get session.custom.role]
    switch -glob [string tolower $role] {
        "rolea" { HTTP::header insert "Role" "RoleA" }  
        "roleb" { HTTP::header insert "Role" "RoleB" }
        default { HTTP::header insert "Role" "Undefined" }
    }
    set userprincipalname [ACCESS::session data get "session.ad.last.attr.userPrincipalName"]
    HTTP::header insert "userPrincipalName" $userprincipalname
    }