Forum Discussion

SteveD1979's avatar
Jun 15, 2023

Help with APM irule to append URI and URL to call to kill individual sessions

Hi I'm trying to figure out the best way to get this to work.  I need to take the incoming http request https://application.mydomain.com and append a URI.  Part of it is static URL/static/static/static/apm session variable value.  The variable value will be different for each of the services being called and that is how openshift will redirect the traffic.  After this policy the traffic has to be forwarded to another VIP on the F5 that is created by OpenShift.  I also wanted to see if i could get help with the URL I need to call to kill any sessions.  We have the URL from our external IDP provider but also need to kill the session on the APM.

8 Replies

  • a couple questions for clarification:

    1. do you need to append the URI before/during/after APM processes the request?
    2. Can you diagram in text or pic the workflow through BIG-IP, is this one or more devices?

     

  • Request comes in on URL and hits one VIP a the common partition which has the access policy tied to it.  The access policy looks at the SAML XML to authenticate then if it is allowed it is sent to another VIP on the same pair of LTMs but a different partition (doesn't have its own DNS record).  The application configured behind the second VIP runs in Openshift and requires seeing that /static/static/static/%session.saml.last.attr.name in order to route the traffic correctly.  I've been able to add a redirect at the end of the access policy instead of an allow but not using the same DNS record that points to the VIP.  I'm assuming this just sends it in a loop when it is the same?  Hopefully that makes sense

      • SteveD1979's avatar
        SteveD1979
        Icon for Cirrus rankCirrus

        The openshift container is expecting one of 3.  Either the oringal URL, the IP or the openshift proxy URL.  We just obviously don't want to expose the IP or the proxy.  So sending it through with the original URL with the added URI would be fine.  It just seemed like redirecting to the original would send it back through the entire process hitting the VIP the DNS resolves to with the access policy attached.

    • Stan_PIRON_F5's avatar
      Stan_PIRON_F5
      Icon for Employee rankEmployee

      Hi,

      If you want to redirect first request after authentication, you can use a variable assign with:

      session.server.landinguri = expression expr{ "/static/static/static/[mcget {session.saml.last.attr.name}]" }

      It will force to redirect the user to this url after succeded authentication

      If you want to redirect for any request on / URL, you can use following irule

      when ACCESS_ACL_ALLOWED {
        if { [HTTP::path] == "/" } {
          ACCESS::respond 302 noserver Location "/static/static/static[ACCESS::session data get "session.saml.last.attr.name"]"
        }
      }
      • SteveD1979's avatar
        SteveD1979
        Icon for Cirrus rankCirrus

        Thanks Stan.  When I try adding the variable assign I get a page can't be found and I don't see the URI appended in my browser.  When I use the Irule i see the redirect in the browser but I still get a page can't be found.  I'm thinking because of the DNS loop and the URL being tied to VIP #1.