Forum Discussion
APM HTTP Header injection
Hello DevCentral Community,
I want to ask you if is it possible to inject the HTTP Headers in the server side connection when APM is in place.
Basically, I need to send dynamically from the F5 to the Backend the user AD UPN attribute (when the user is authetnicated on APM with the AD account,) I need also to query the AD in order to extract the user memberships in order to inject a dynamic http header with the AD Group of the user in order to send it to the backend.
when ACCESS_POLICY_AGENT_EVENT {
set timestamp [clock format [clock seconds] -format "%d/%b/%Y %H:%M:%S %z"]
set userprincipalname [ACCESS::session data get "session.ad.last.attr.userPrincipalName"]
HTTP::header insert "userPrincipalName" $userprincipalname
set landing [ACCESS::session data get session.server.landinguri]
set loginfailures [ACCESS::session data get session.localdb.login_failures]
set Role "undefined"
switch [ACCESS::policy agent_id] {
"RoleM" {
log local0. "RoleA"
set Role "RoleA"
}
"RoleM2" {
log local0. "RoleM"
set Role "RoleB"
}
when ACCESS_ACL_ALLOWED {
set landing [ACCESS::session data get session.server.landinguri]
log local0. "Landing URI: $landing"
pool xxxx
}
when ACCESS_POLICY_COMPLETED {
set userPrincipalName [ACCESS::session data get "session.ad.last.attr.userPrincipalName"]
log local0. "UPN detected = $userPrincipalName ACCESS_COMPLETED"
set policy_result [ACCESS::policy result]
HTTP::header insert "userPrincipalName" $userPrincipalName
if { $RoleA == "" } { } else { HTTP::header insert "Rolea" $RoleA }
if { $RoleB == "" } { } else { HTTP::header insert "RoleB" $RoleB }
switch $policy_result {
"allow" {
if { $RoleA == "" } { } else { HTTP::header insert "Rolea" $RoleA }
if { $RoleB == "" } { } else { HTTP::header insert "RoleB" $RoleB }
}
"deny" {
Do nothing
}
}
}
- Michael__Nimbostratus
Hi,
You could you "HTTP_REQUEST_RELEASE" event which fires after APM on the connection to the backend.
when HTTP_REQUEST_RELEASE { HTTP::header replace "userPrincipalName" [ACCESS::session data get session.ad.last.attr.userPrincipalName] ... and so on }
Regards
Micha
- MDPF52_180608NimbostratusThank you for your help. I have another problem now, when I try to set the variable assigned dynamically in the ACCESS_POLICY_AGENT_EVENT (each ID of the ACCESS_POLICY_AGENT_EVENT can assign a different value to the variable) in the HTTP_REQUEST_RELEASE there is a TCL Error " can't read "Role": no such variable ". Anyone can suggest me something? Thanks in advance, BR. M.
- Michael_61033Nimbostratus
Hi,
You could you "HTTP_REQUEST_RELEASE" event which fires after APM on the connection to the backend.
when HTTP_REQUEST_RELEASE { HTTP::header replace "userPrincipalName" [ACCESS::session data get session.ad.last.attr.userPrincipalName] ... and so on }
Regards
Micha
- MDPF52_180608NimbostratusThank you for your help. I have another problem now, when I try to set the variable assigned dynamically in the ACCESS_POLICY_AGENT_EVENT (each ID of the ACCESS_POLICY_AGENT_EVENT can assign a different value to the variable) in the HTTP_REQUEST_RELEASE there is a TCL Error " can't read "Role": no such variable ". Anyone can suggest me something? Thanks in advance, BR. M.
The iRule should do the job. Also, with v12 just released, the ability to insert headers on the fly is part of the per-request policies. Check out v12 documentation for more information.
- MDPF52_180608Nimbostratus
Thank you for your help.
I have another problem now, when I try to set the variable assigned dynamically in the ACCESS_POLICY_AGENT_EVENT (each ID of the ACCESS_POLICY_AGENT_EVENT can assign a different value to the variable) in the HTTP_REQUEST_RELEASE there is a TCL Error " can't read "Role": no such variable ". Anyone can suggest me something?
Thanks in advance,
BR.
M.
I just read it iRule more carefully and I think you might be overcomplicating it.
All you really need for header enrichment/insertion is ACCESS_ACL_ALLOWED event. It fires after access policy has finished executing and thus has access to all access session variables.
ACCESS_POLICY_COMPLETED fires only once per session, not not per request - and I assume you need this inserted in each request - so I suggest you move header insertion logic from that event to ACCESS_ACL_ALLOWED, and you should be good.
- Stanislas_Piro2Cumulonimbus
Hi,
ACCESS_POLICY_COMPLETED and ACCESS_POLICY_AGENT_EVENT only raise during policy evaluation.
When user is authenticated, the only APM event raised on every requests is ACCESS_ACL_ALLOWED.
[ACCESS::session data get session.server.landinguri] is the URL that matched first time request and is stored in variable to redirect user after authentication... it will be always the same during the whole session...
you can try something like that:
when ACCESS_ACL_ALLOWED { set role [ACCESS::session data get session.custom.role] switch -glob [string tolower $role] { "rolea" { HTTP::header insert "Role" "RoleA" } "roleb" { HTTP::header insert "Role" "RoleB" } default { HTTP::header insert "Role" "Undefined" } } set userprincipalname [ACCESS::session data get "session.ad.last.attr.userPrincipalName"] HTTP::header insert "userPrincipalName" $userprincipalname }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com