Forum Discussion
Can I use an Irule to bypass an access policy if a cookie is present
- Nov 16, 2023
Thanks for the clear explanation. Yes sure, this should be pretty easy.
Firstly: APM "hides" some session-setup HTTP events from HTTP_REQUEST for safety, so you have to disable that.
Second: APM offers an "ACCESS::disable" command that completely turns off APM from the current connection flow.
So to put these two together, you could do something like:
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST {
if { [string tolower [HTTP::header {x-turn-off-apm}]] == "yes" } {
ACCESS::disable } }Then we can apply this to a vip and test it with curl. See how when we satisfy the header condition in that irule, the access profile is turned off and we get directly to the pool defined, then if we don't satisfy the condition, the APM does the normal set-cookie and /my.policy redirect:
L.Thompson@test ~ % curl -I -X GET -k --header 'x-turn-off-apm: no' https://10.154.73.51
HTTP/1.0 302 Found
Server: BigIP
Content-Length: 0
Location: /my.policy
Set-Cookie: LastMRH_Session=8d8df9f4;path=/;secure
Set-Cookie: MRHSession=7a4cd79cb764e8fa74ba2a618d8df9f4;path=/;secure
Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;secure
Connection: close
L.Thompson@test ~ % curl -I -X GET -k --header 'x-turn-off-apm: yes' https://10.154.73.51
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 08 Feb 2023 02:30:13 GMT
Accept-Ranges: bytes
ETag: "e0e3b745653bd91:0"
Server: Microsoft-IIS/10.0
Date: Thu, 16 Nov 2023 20:16:09 GMT
Content-Length: 703
Thanks for the clear explanation. Yes sure, this should be pretty easy.
Firstly: APM "hides" some session-setup HTTP events from HTTP_REQUEST for safety, so you have to disable that.
Second: APM offers an "ACCESS::disable" command that completely turns off APM from the current connection flow.
So to put these two together, you could do something like:
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST {
if { [string tolower [HTTP::header {x-turn-off-apm}]] == "yes" } {
ACCESS::disable } }
Then we can apply this to a vip and test it with curl. See how when we satisfy the header condition in that irule, the access profile is turned off and we get directly to the pool defined, then if we don't satisfy the condition, the APM does the normal set-cookie and /my.policy redirect:
L.Thompson@test ~ % curl -I -X GET -k --header 'x-turn-off-apm: no' https://10.154.73.51
HTTP/1.0 302 Found
Server: BigIP
Content-Length: 0
Location: /my.policy
Set-Cookie: LastMRH_Session=8d8df9f4;path=/;secure
Set-Cookie: MRHSession=7a4cd79cb764e8fa74ba2a618d8df9f4;path=/;secure
Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;secure
Connection: close
L.Thompson@test ~ % curl -I -X GET -k --header 'x-turn-off-apm: yes' https://10.154.73.51
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 08 Feb 2023 02:30:13 GMT
Accept-Ranges: bytes
ETag: "e0e3b745653bd91:0"
Server: Microsoft-IIS/10.0
Date: Thu, 16 Nov 2023 20:16:09 GMT
Content-Length: 703
- SteveD1979Nov 17, 2023Cirrostratus
This worked thank you very much
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com