Checking for APM variable existence

Hi Eric,

lets make a real life comparsion of what your iRule does.

You have an entrance hall with a service desk where lots of customers are flowing in and you have a back office where your customer data is stored. Each time a customer visits your service desk your service desk operator is forced to walk several times into the backoffice to get the customer ID, their citizenship, their address and their prefered communication method independently.

Does this makes sense? I guess it would be far more effective to store your customer data in such way, that a single walk into the back office would be sufficent to process a customer, isn't it?

Your APM session variables and the

ACCESS_ACL_ALLOWED

iRule event are pretty much comparable to the scenario above. They are not mandatory working inline and may require TMM to perform connection parkings, which adds delay to the request and cost some CPU cycles.

Because of this it would be much smarter to substitute a

[list]

item at the end of your APM policy (one time processing) and store the list into a custom session variable to make your header injection iRule (per request processing) much more efficent.

APM Variable Assign for Certificate-Users:

Variable Name:

session.custom.sso_header_injection

Expression:

return [list 1 [mcget {session.user.sessionid}] [mcget {session.custom.start.time}] [mcget {session.ssl.cert.issuer}] [mcget {session.ssl.cert.subject}] [mcget {session.custom.cert.email}]]

APM Variable Assign for non Certificate-Users:

Variable Name:

session.custom.sso_header_injection

Expression:

return [list 2 [mcget {session.user.sessionid}] [mcget {session.custom.start.time}]]

Highly optimized iRule:

when ACCESS_ACL_ALLOWED {

    log local0. "Injecting Header X-F5-Forwarded-For = [IP::client_addr]"

    HTTP::header insert "X-F5-Forwarded-For" [IP::client_addr]

    set sso_header_injection_list [ACCESS::session data get session.custom.sso_header_injection]

    log local0. "Retrieved header injection list = $sso_header_injection_list"

    if { [lindex $sso_header_injection_list 0] == 1 } then {

        log local0. "Certificate user detected..."

        log local0. "Injecting Header X-F5-SessionID = [lindex $sso_header_injection_list 1]"
        HTTP::header insert "X-F5-SessionID"      [lindex $sso_header_injection_list 1]

        log local0. "Injecting Header X-F5-Session-start = [lindex $sso_header_injection_list 2]"
        HTTP::header insert "X-F5-Session-start"  [lindex $sso_header_injection_list 2]

        log local0. "Injecting Header X-F5-Cert-Issuer = [lindex $sso_header_injection_list 3]"
        HTTP::header insert "X-F5-Cert-Issuer"    [lindex $sso_header_injection_list 3]

        log local0. "Injecting Header X-F5-Cert-Subject = [lindex $sso_header_injection_list 4]"
        HTTP::header insert "X-F5-Cert-Subject"   [lindex $sso_header_injection_list 4]

        log local0. "Injecting Header X-F5-Cert-Subject = [lindex $sso_header_injection_list 5]"
        HTTP::header insert "X-F5-Cert-Subject"   [lindex $sso_header_injection_list 5]

    } elseif { [lindex $sso_header_injection_list 0] == 2 } then {

        log local0. "Non-Certificate user detected..."

        log local0. "Injecting Header X-F5-SessionID = [lindex $sso_header_injection_list 1]"
        HTTP::header insert "X-F5-SessionID"      [lindex $sso_header_injection_list 1]

        log local0. "Injecting Header X-F5-Session-start = [lindex $sso_header_injection_list 2]"
        HTTP::header insert "X-F5-Session-start"  [lindex $sso_header_injection_list 2]

    }

}

Note: The iRule above requires only a single

[ACCESS::session]

command execution to retrieve the Operation mode and the APM based HTTP-Header values.

Cheers, Kai