Forum Discussion

SteveD1979

Cirrostratus

Jun 15, 2023

Help with APM irule to append URI and URL to call to kill individual sessions

Hi I'm trying to figure out the best way to get this to work. I need to take the incoming http request https://application.mydomain.com and append a URI. Part of it is static URL/static/static/stat...

application delivery

devops

SteveD1979

Cirrostratus

Request comes in on URL and hits one VIP a the common partition which has the access policy tied to it. The access policy looks at the SAML XML to authenticate then if it is allowed it is sent to another VIP on the same pair of LTMs but a different partition (doesn't have its own DNS record). The application configured behind the second VIP runs in Openshift and requires seeing that /static/static/static/%session.saml.last.attr.name in order to route the traffic correctly. I've been able to add a redirect at the end of the access policy instead of an allow but not using the same DNS record that points to the VIP. I'm assuming this just sends it in a loop when it is the same? Hopefully that makes sense

Stan_PIRON_F5

Employee

Jun 19, 2023

Hi,

If you want to redirect first request after authentication, you can use a variable assign with:

session.server.landinguri = expression expr{ "/static/static/static/[mcget {session.saml.last.attr.name}]" }

It will force to redirect the user to this url after succeded authentication

If you want to redirect for any request on / URL, you can use following irule

when ACCESS_ACL_ALLOWED {
  if { [HTTP::path] == "/" } {
    ACCESS::respond 302 noserver Location "/static/static/static[ACCESS::session data get "session.saml.last.attr.name"]"
  }
}

SteveD1979
Cirrostratus
Jun 20, 2023
Thanks Stan. When I try adding the variable assign I get a page can't be found and I don't see the URI appended in my browser. When I use the Irule i see the redirect in the browser but I still get a page can't be found. I'm thinking because of the DNS loop and the URL being tied to VIP #1.
- Michael_Waechter
  Employee
  Jun 20, 2023
  You will have to apply the select virtual after the apm policy processing. Since the VIP #2 does not have a dns entry, you will need to force it through via an irule to select the virtual after processing. Personally I'd recommend adding a dns entry, and make it simple, but you can do it in an irule to forcefully select the virtual.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Help with APM irule to append URI and URL to call to kill individual sessions

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Enforcing individual APM Policy "In Progress Sessions Limits"

F5 XC Session tracking with User Identification Policy

TLS Stateful vs Stateless Session Resumption

Agility sessions announced

Ending an APM session when browser tab is closed

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS