For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 07, 2015

Well, sort of.

While clientless-mode will avert the /my.policy redirects, it doesn't deal with the APM session cookie that is bound to the (single) host name. So when you authentication to one app, you'll get an MRHSession cookie for www.mysites.com. When you go to the second app it won't prompt you for authentication at all because you'll be sending a valid APM session cookie in the very first request.

If you're only using APM for one of the VIPs, then you could just make sure you switch based on URI pattern and /my.policy. 

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::uri]] {
        "/applications/app1*" { pool app1_pool }
        "/my.policy* { pool app1_pool }
        "/applications/app2*" { pool app2_pool }
        default { pool app1_pool }
    }
}

If you have more than one APM VIP using this same host name, then you could do VIP targeting (an LTM VIP in front of your APM VIPs) and write an iRule that rewrites the /my.policy redirect URI from each VIP (ex. /app1/my.policy and /app2/my.policy) and then write it back in the following request, and rewrite the outgoing MRHSession cookies so that they have a path attribute that is specific to each application.

Set-Cookie: MRHSession=1298329493824239; path=/app1; secure...

But probably the very best solution is to not put two APM VIPs on the same host name. If you're worried about limited IPs you can point multiple host names at a single IP and the APMs won't step on each other.