Forum Discussion
AltocumulusAPM Pool assign based on host header or URL path
I have a scenario where users may hit one VIP for a number of different URLs. I'd like the APM to authenticate the users, assign the users to a pool based on the /path/ (or the HOST header for that matter ) and then carry out SSO for the resulting destination.
I believe i now ( as of v11.4) need to use local traffic policies for this sort of functionality, which is fine, but i can't see how i can integrate this information to APM.
I'm a bit surprised that i can't create an APM policy in the VPE that says if path=app1 then pool assign pool1 and SSO or if path-app2 then pool assign pool2 and SSO. It doesn't look like APM supports using lower level stuff
Am i missing something or is there an easy way to configure what i want.
Thanks in advance.
5 Replies
- Kevin_Stewart
Employee
You can definitely assign different pools via the VPE, for a variety of reasons, but I believe an iRule is the only way to dynamically assign different SSO profiles. I would do something like this:
when ACCESS_ACL_ALLOWED { switch -glob [string tolower [HTTP::uri]] { "/app1*" { app1_pool WEBSSO::select app1_sso } "/app2*" { app2_pool WEBSSO::select app2_sso } default { default_pool WEBSSO::disable } } }It goes without saying that each of the SSO profiles requires a set of information to use for the SSO process (ie. name, password, domain, etc.) and you must collect all of this information up front in the single access policy authentication process.
p_jones_1353Thank you very much. I assume i can also do something as follows to use the host ?
'when ACCESS_ACL_ALLOWED { switch -glob [string tolower [HTTP::uri]] { "ww1.*.com/*" { app1_pool WEBSSO::select app2_sso } "www2.*.com/*" { app2_pool WEBSSO::select app2_sso } default { default_pool WEBSSO::disable } } }'I notice that this is run on ACCESS_ACL_ALLOWED and i assume this means at the end of the policy being complete. Does this replace the resource assign action in the policy ? If so would there be any way to make something like this run after the user has logged and just create a session variable which could be used in a branching decision later on in the policy ? I'd rather use the VPE to assign rescources (if possible)
If I could create a session variable as part of an iRule it appears to me that the branching rules with in the VPE are quite limited. For example i can't see any way to use a session variable in a Branch rule. Any idea on if and how i can do that ?
Thanks again
- Kevin_Stewart
I assume i can also do something as follows to use the host?
Just keep in mind that [HTTP::host] returns the Host header portion of the URL (ie. www.host.com), while [HTTP::uri] returns the URI portion of the URL (ie. /path/to/file.html). Your example was close, but to switch on the Host, you wouldn't add the URI pattern.
when ACCESS_ACL_ALLOWED { switch -glob [string tolower [HTTP::host]] { "ww1.*.com" { app1_pool WEBSSO::select app2_sso } "www2.*.com" { app2_pool WEBSSO::select app2_sso } default { default_pool WEBSSO::disable } } }I notice that this is run on ACCESS_ACL_ALLOWED and i assume this means at the end of the policy being complete. Does this replace the resource assign action in the policy ? If so would there be any way to make something like this run after the user has logged and just create a session variable which could be used in a branching decision later on in the policy ? I'd rather use the VPE to assign rescources (if possible)
Yes for the pool selection, but not for the SSO selection. The ACCESS_ACL_ALLOWED event is synonymous with the HTTP_REQUEST event, but is triggered after each HTTP_REQUEST event and after the access policy is complete.
If I could create a session variable as part of an iRule it appears to me that the branching rules with in the VPE are quite limited. For example i can't see any way to use a session variable in a Branch rule. Any idea on if and how i can do that ?
You can certainly use session variables in branch conditions. For example:
expr { [mcget {session.custom.foo}] equals "bar" }This would return a Boolean response that would (or would not) cause processing to follow the branch it was assigned to.
- p_jones_1353
Thanks for the pointers
Doing some digging around i think i found a way to do most of this in VPE. Without being able to test it myself at the moment what are your thoughts on the below.
There are a couple of good session variables i found:
session.server.network.name - displays the host for every logon
session.server.landinguri - displays the URI for ever logonI think i may be able to use these in the VPE branch rules with an advanced expression like the following:
expr { [mcget {session.server.network.name}] == "ww1.*.com" }Any idea on whether this would work as an alternative to the iRule ? For example i don't know whether you can use wildcards like i have done above.
- Kevin_Stewart
I don't believe the wildcard will work directly for an expression, but then you can use tcl string and regex commands directly inside the expression to get the job done. In any case, the above may work for URI/path branching, but you'll still need an iRule to switch between SSO profiles.
