Forum Discussion

Tom_51318's avatar
Tom_51318
Icon for Nimbostratus rankNimbostratus
Aug 15, 2013

cannot target different APM VIPs from irule attached to HTTP_REQUEST event, because HTTP::path changes to my.policy, etc.

Hi there, I have a VS, no policy, with an irule on HTTP_REQUEST, that switches on HTTP::path, and routes the traffic to different APM VIPs:   on HTTP_REQUEST { switch -glob [HTTP::path] { ...
application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 15, 2013

That's an interesting and very valid scenario. Here are a few options:

  1. Clientless-mode - if you don't have "disruptive" mechanisms in your access policy, like message boxes and logon forms, clientless-mode will bypass the /my.policy redirect, validate the access policy, send data to the server, and then add the APM session token to the FIRST server response. This is typically used with clients that don't support the redirects, but certainly an option here. You just need to add a "clientless-mode" header to the HTTP_REQUEST event of the APM VIPs:

    when HTTP_REQUEST {
    HTTP::header insert "clientless-mode" 1
}

  2. When the APM VIP sends that /my.policy redirect, it'll also send the initialized session cookie. The trick then is to catch that response in an external LTM iRule and create a session table entry that maps the session cookie to the APM VIP. On subsequent requests, if "/my.policy", look up and forward based on the cookie. After policy evaluation is over, you should never see /my.policy again and can go back to URI-based balancing.