For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dennis_Andrade_'s avatar
Dennis_Andrade_
Icon for Nimbostratus rankNimbostratus
Oct 01, 2013

Extract hostname from URL using the edge client

The user is connected to the edge client in the ipad or iphone. We have a Virtual server with a network access for setup for that. They then open the browser and browse to an internal URL which is pointing to a load balancer in the same F5 box. I would like to extract the hostname the user is entering in the browser through the VPN tunnel. Any ideas? I have tried using an iRule on the Load Balancer virtual server using http_request but that does not work. I also tried to use an APM in the load balancer so I could call ACCESS_POLICY_AGENT_EVENT but it doesn't look like I can have an access policy in the load balancer since it's using an internal IP and there is already a session created with the VPN access policy.

 

design

5 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 02, 2013

    Hmmm. What would you like to do with that hostname, log it? Did you apply the iRule to the network access virtual server or the internal website virtual server?

     

  • Dennis_Andrade_'s avatar
    Dennis_Andrade_
    Icon for Nimbostratus rankNimbostratus
    Oct 02, 2013

    The iRule is applied to the internal virtual server (Load balancer). The backend servers listen on different hostnames for different applications. So the user coming in might not have access to application A but do have access to application B. We need the hostname to allow or deny the user access to the application.

     

  • Dennis_Andrade_'s avatar
    Dennis_Andrade_
    Icon for Nimbostratus rankNimbostratus
    Oct 02, 2013

    This code works if we have only the ACCESS_ACL_ALLOWED. If I Add the HTTP_REQUEST the access to the application hangs. Don't see any errors in the LTM logs. For the ACCESS_POLICY_AGENT_EVENT, I added an access policy and added and iRule event in there allowing everybody access but I added a log in that section and the access policy doesn't seem to kick in.

     

    when HTTP_REQUEST {
   set ::temphost [HTTP::host]
}
when ACCESS_POLICY_AGENT_EVENT {
   ACCESS::session data set session.custom.host $::temphost
}
when ACCESS_ACL_ALLOWED {
   set user "[ACCESS::session data get "session.logon.last.username"]"
   HTTP::header insert X-UPN $user
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2013

    I just tested this and it seems to work. I can see where you wouldn't want to use APM on the internal VIP, but you should certainly be able to see HTTP request events on the internal VIP inside the VPN. If you remove the access profile from the internal VIP, keep the HTTP profile, and then use the HTTP_REQUEST event only on the internal iRule, do you get to the application(s)?