Forum Discussion
Help with APM irule to append URI and URL to call to kill individual sessions
Request comes in on URL and hits one VIP a the common partition which has the access policy tied to it. The access policy looks at the SAML XML to authenticate then if it is allowed it is sent to another VIP on the same pair of LTMs but a different partition (doesn't have its own DNS record). The application configured behind the second VIP runs in Openshift and requires seeing that /static/static/static/%session.saml.last.attr.name in order to route the traffic correctly. I've been able to add a redirect at the end of the access policy instead of an allow but not using the same DNS record that points to the VIP. I'm assuming this just sends it in a loop when it is the same? Hopefully that makes sense
- Michael_WaechterJun 16, 2023Employee
What is the URL the final application is expecting?
is it www.test.com = apm vip
forward session variables and continue request to www.test.com on vip 2 or is it expecting another url all together?
- SteveD1979Jun 17, 2023Cirrostratus
The openshift container is expecting one of 3. Either the oringal URL, the IP or the openshift proxy URL. We just obviously don't want to expose the IP or the proxy. So sending it through with the original URL with the added URI would be fine. It just seemed like redirecting to the original would send it back through the entire process hitting the VIP the DNS resolves to with the access policy attached.
- Mayur_TJun 17, 2023Employee
To avoid loop, may want to use ‘MRHSession and LastMRH_Session’ cookies in your irule while sending it through with the original URL with added URI. And use ‘STREAM::disable’ then for return traffic ‘STREAM::enable’
So when it comes with the session ID inside the query parameters, disable the Access.
- Stan_PIRON_F5Jun 19, 2023Employee
Hi,
If you want to redirect first request after authentication, you can use a variable assign with:
session.server.landinguri = expression expr{ "/static/static/static/[mcget {session.saml.last.attr.name}]" }
It will force to redirect the user to this url after succeded authentication
If you want to redirect for any request on / URL, you can use following irule
when ACCESS_ACL_ALLOWED { if { [HTTP::path] == "/" } { ACCESS::respond 302 noserver Location "/static/static/static[ACCESS::session data get "session.saml.last.attr.name"]" } }
- SteveD1979Jun 20, 2023Cirrostratus
Thanks Stan. When I try adding the variable assign I get a page can't be found and I don't see the URI appended in my browser. When I use the Irule i see the redirect in the browser but I still get a page can't be found. I'm thinking because of the DNS loop and the URL being tied to VIP #1.
- Michael_WaechterJun 20, 2023Employee
You will have to apply the select virtual after the apm policy processing. Since the VIP #2 does not have a dns entry, you will need to force it through via an irule to select the virtual after processing. Personally I'd recommend adding a dns entry, and make it simple, but you can do it in an irule to forcefully select the virtual.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com