For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ukstin's avatar
ukstin
Icon for Nimbostratus rankNimbostratus
Jan 29, 2009

encrypt/decrypt URI

Hi,

I´m trying to do an Irule to encrypt and decrypt the URI with a cookie value as key. But it´s not working as expected, somebody as any opinion about these irule? 

 
 when HTTP_REQUEST { 
    set uri [HTTP::uri] 
    set host [HTTP::host] 
    if { [HTTP::cookie exists "JSESSIONID"] } { 
       if {not ([catch { AES::decrypt [HTTP::cookie value "JSESSIONID"] [b64decode $uri] } decrypted])}{ 
          log local0. "session: $IDkey uri $uri decriptada: $decrypted" 
          HTTP::uri $decrypted 
          set uri $decrypted 
       } 
    } 
 } 
     
 when HTTP_RESPONSE { 
    if { [HTTP::cookie exists "JSESSIONID"] } { 
       set encrypted [b64encode [AES::encrypt [HTTP::cookie value "JSESSIONID"] $uri]] 
       log local0. "session: $IDkey uri: $uri encriptada: $encrypted" 
       HTTP::header replace Location "$encrypted" 
    } 
 }
application delivery
dev
devops
iRules

11 Replies

Show More
  • ukstin's avatar
    ukstin
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2009
    I´ve changed a little the scope of the irule, instead of encrypt/decrypt de URI, I create a cookie (encrypted) to control the access of a specific pool.

    In the default pool, the application already has an authentication control, but the other pool is called by de default one and has no user session or any type of control, so without the irule any internet user could access the application. the last version of the irule is listed below: 

      
 when RULE_INIT {  
 set ::cookiename "JSESSIONKEY"  
 set ::aeskey [AES::key 128]  
 }  
 when HTTP_REQUEST {  
 set collect_payload 1  
 set http_query [findstr [HTTP::query] "key=" 4 end]  
 set http_uri [string tolower [HTTP::uri]]  
 if { [HTTP::cookie exists $::cookiename] } {  
 set collect_payload 0  
 }  
 if { $collect_payload } {  
  Sem Chunk  
 if { [HTTP::version] eq "1.1" } {  
 if { [HTTP::header is_keepalive] } {  
 HTTP::header replace "Connection" "Keep-Alive"  
 }  
 HTTP::version "1.0"  
 }  
 }     
 if { $http_uri starts_with "/pool_to_protect" } {  
 if { [AES::decrypt $::aeskey [b64decode [URI::decode [HTTP::cookie value $::cookiename]]]] eq $http_query } {  
 pool pool_protected   
 } } elseif { $http_uri starts_with "/default_pool"} {  
 pool pool_default   
 }  
 }  
 when HTTP_RESPONSE {  
 if { $collect_payload } {  
  Coletar Content_length ou setar em 1 MB  
 set clen [HTTP::header Content-Length]  
 if { not [info exists clen] or "" eq $clen } {  
 set clen 1000000  
 }  
 HTTP::collect $clen  
 }     
 }  
 when HTTP_RESPONSE_DATA {  
 if { $collect_payload } {  
 set chave [findstr [HTTP::payload] "key = " 7 "'"]  
 if {[string length $chave] > 1 } {   
 HTTP::cookie insert name $::cookiename value [URI::encode [b64encode [AES::encrypt $::aeskey $chave]]] path "/" domain "www.domain.com"   
 }  
 }    
 }

    thanks for everyone for the help and tips.