Encrypt Command

There's simply no way BIG-IP will block a connection for 3 seconds! The microkernel has a completely non-blocking architecture, and the system just wouldn't be able to handle going out to lunch for 3 seconds. There's something else wrong here. Please could you post your rule, and we'll try to reproduce this.

 

 

Have you contacted support/obtained tcpdumps?

You are right. BigIp kernel is not blocking the request.

 

If a page has 10 images then my script is run 10 times. Running decrypt command 10 times is the problem. Some of the page have even more images.

 

I meant to ask is there a way to have a static key and not generate the key for each request and use this key to encrypt and decrypt. By key I don't mean the passphrase.

This is script

when RULE_INIT {
  
}
when CLIENT_ACCEPTED {
}
when HTTP_REQUEST {
  Define cookie variable and is Authentication page isLoginPage variable
  set cookieName "GTWLogin"
  set usernameCookie "GTWUSER"
  set cookieTimeout 15
  set username ""
  set userpwd ""
  set isLoginPage ""  
  set cookieEncPwd "1400"
  set setUserCookie 0
  Define processing variables
  set runRadiusAuthentication 1
  set setCookieDuringResp 0
  set setModAuthHdr 1
  set redirectInd 0
  
  Logging condition
  set debugon 0
  
  Define protected Uri
  set protectedUri "/ll/"
  
  Define unprotected Uri
  set unprotectedUri "/llsupport/"  
  set loginImgUri "/gtwlogin/"
  set unprotectedPage "/gtwlogin/calograd.htm"
  
  Define Radius Authentication identifier
  set asid [AUTH::start pam default_radius]   
  set performAuthId "cGVyZm9ybWF1dGgubWVkaW5zdC5jb20"
  
  Define identifier to choose if login script to be run
  set runCustomLogin 1
  
  set isImageUrl 0
  
  Define logout Uri
  set logout 0
  set logoutPath "/cmd/ICSLogout"
  set logoutPage "/gtwlogin/gtwlogout.htm"
   
   Retrieve all required values
   set cookieDomain [HTTP::host]
   set cookieExists [HTTP::cookie exists $cookieName]
   set ckvalue [HTTP::cookie value $cookieName]
   
   set requestedUri [HTTP::uri]
   set requestedPage [HTTP::path]
   If requested page is logout command ICSLogout   
   if { [HTTP::path] eq $logoutPath } {
       set logout 1
       set runCustomLogin 0
       set setModAuthHdr 0
       set setCookieDuringResp 0
   }
   If requested page is logout page    
   if { $requestedPage eq $logoutPage } {
       set runCustomLogin 0
       set setModAuthHdr 0
       set setCookieDuringResp 0
   }
   If request is for image
   if { [HTTP::path] contains $unprotectedPage || $requestedUri contains $unprotectedUri || $requestedUri contains $loginImgUri || $requestedUri contains ".png" || $requestedUri contains ".gif" || $requestedUri contains ".jpg" || $requestedUri contains ".jpeg" || $requestedUri contains ".css" } {
      set runCustomLogin 0  
      set setModAuthHdr 0
   }
   
   If requested page is protected
   if { [HTTP::uri] contains $protectedUri } {
      set runCustomLogin 1
   }
   
   If cookie exists always run through login script
   if { $cookieExists eq 1 } {
      set runCustonLogin 1
   }
   
   
   
   If the request if for protected uri   
   if { $runCustomLogin ne 0 } {      
      if { $cookieExists } {      
         if { $ckvalue ne "!-100119899091" } {
             HTTP::cookie decrypt $usernameCookie $cookieEncPwd 128
             set username [HTTP::cookie value $usernameCookie]
         } else {
             set username $ckvalue
         }
      }
      set reqdata [HTTP::payload]
      check if it's post from login page
      if { $reqdata contains $performAuthId }
      {
         set runRadiusAuthentication 99
   set tmpUsername [findstr $reqdata "username" 9]
   set username [getfield $tmpUsername "&" 1]   
   set tmppwd [findstr $reqdata "password" 9]
   set userpwd [getfield $tmppwd "&" 1]      
   set isLoginRequested [findstr $reqdata "bigipLogin" 11]
   set isLoginPage [getfield $isLoginRequested "&" 1]               
      }
      log "I am inside runcustomlogin ne 0 $runCustomLogin $runRadiusAuthentication $isLoginPage"
      check if cookie exists but the user had logout already
      if { $cookieExists eq 1 && $ckvalue eq "!-100119899091" && $runRadiusAuthentication ne 99 }
      {
           set redirectInd 99
           set runRadiusAuthentication 0
      }
      check if the session has timeout
      if { $redirectInd ne 99 && $cookieExists eq 1 && $runRadiusAuthentication ne 99} {
   set currenttime [clock seconds]
   set delta [expr $currenttime - $ckvalue]
   if { $delta > 15 } {                      
 set runRadiusAuthentication 0
 set setCookieDuringResp 0
 set setModAuthHdr 0
         set redirectInd 98
   } else {
         set setCookieDuringResp 1
         set runRadiusAuthentication 0
   }
      }
      
       Run radius authentication if runRadiusAuthentication is set to one ||| no Cookie
       if { $runRadiusAuthentication ne 0 && $redirectInd ne 99}
       {
            log "username $username "
            if { $username eq "" || $userpwd eq "" } {
                 set redirectInd 99
            }
            log "About to call authenticate"
            if { $debugon eq 1 } {
       log "Abt to call auth"
    }
    if { $redirectInd ne 99 } {    
         log "About to call authenticate $username : pwd"
         set setModAuthHdr 1
         AUTH::username_credential $asid $username
         AUTH::password_credential $asid $userpwd
         AUTH::authenticate $asid
         if { $redirectInd eq 0 } {
             HTTP::collect       
         }
    }
    log "complete call to auth"
       }   
       set header for mod_auth_anon
       if { $setModAuthHdr eq 1} {
           log "inside mod auth $username"
           set ename [b64encode "$username:\$apr1\$Vk1.....\$fVfqXg8t8iFv.guKLPJdi0"]
           HTTP::header remove Authorization
           HTTP::header insert XAuthorization $ename
           HTTP::header insert Authorization "Basic $ename"
       }             
   }
}
when HTTP_RESPONSE {
   if { $setCookieDuringResp eq 1 } {
     log "setting cookie $requestedUri :: $isImageUrl"
     set cookieval [clock seconds]
     HTTP::cookie insert name $cookieName value $cookieval path / domain $cookieDomain 
     HTTP::cookie encrypt $cookieName $cookieEncPwd 128                             
     HTTP::cookie expires $cookieName $cookieTimeout relative
     
     if { $setUserCookie eq 1 } {
         HTTP::cookie insert name $usernameCookie value [b64encode $username] path / domain $cookieDomain 
         HTTP::cookie insert name $usernameCookie value $username path / domain $cookieDomain 
         HTTP::cookie encrypt $usernameCookie $cookieEncPwd 128                             
         HTTP::cookie discard $usernameCookie enable
         HTTP::cookie expires $usernameCookie $cookieTimeout relative
     }
   }      
   
   if { $redirectInd eq 98 } {
     HTTP::cookie insert name $cookieName value "!-100119899091" path / domain $cookieDomain
     HTTP::cookie insert name $usernameCookie value "!-100119899091" path / domain $cookieDomain
     HTTP::redirect "http://$cookieDomain/gtwlogin/caltimeout.htm"              
   }
   
   if { $redirectInd eq 1 } {
     HTTP::redirect "http://$cookieDomain/gtwlogin/calfail.htm"
   }
   
   if { $redirectInd eq 2 || $redirectInd eq 99} {
     HTTP::redirect "http://$cookieDomain/gtwlogin/calograd.htm"
   }
   
   if { $redirectInd eq 3 } {
     HTTP::redirect "http://$cookieDomain/gtwlogin/calerror.htm"
   }   
   
   if { $logout eq 1 } {     
     HTTP::redirect "http://$cookieDomain/gtwlogin/gtwlogout.htm"
   }
   
   if { $requestedPage eq $logoutPage } {
     HTTP::cookie insert name $cookieName value "!-100119899091" path / domain $cookieDomain
     HTTP::cookie insert name $usernameCookie value "!-100119899091" path / domain $cookieDomain
   }
}
   when AUTH_SUCCESS {
       if { $debugon eq 1 } {
           log "AUTH CALLED"
       }
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set setCookieDuringResp 1  
           set setUserCookie 1
           HTTP::release                  
       }   
   }
   when AUTH_FAILURE {
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set redirectInd 1
           HTTP::release
       }   
   }
   when AUTH_WANTCREDENTIAL {
       if { $debugon eq 1 } {
          log "WANT CRED"
       }
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set redirectInd 2
           HTTP::release
       }   
   }
   when AUTH_ERROR {
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set redirectInd 3
           HTTP::release
       }   
   }

Try:

when RULE_INIT {
   set ::key [AES::key]
}
when HTTP_RESPONSE {
   set decrypted [HTTP::cookie "MyCookie"]
   HTTP::cookie remove "MyCookie"
   set encrypted [b64encode [AES::encrypt $::key $decrypted]]
   HTTP::cookie insert name "MyCookie" value $encrypted
}
when HTTP_REQUEST {
   set encrypted [HTTP::cookie "MyCookie"]
   HTTP::cookie remove "MyCookie"
   set decrypted [AES::decrypt $::key [b64decode $encrypted]]
   HTTP::cookie insert name "MyCookie" value $decrypted
}

I am also worried about your use of the "clock" command unless you have upgraded to 9.2.

I want to point out that this (old) iRule would cause all cookies to be corrupted in a reboot or failover event. I highly recommend using the newer "HTTP::cookie encrypt" command.