For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Richard_'s avatar
Richard_
Icon for Altocumulus rankAltocumulus
May 01, 2015

How to enforce a persistent URI

Hi all,

I was wondering if someone has a better solution then one I came up with. Mine does not cover all issues. What's it all about.

We've got a remote working solution based on Citrix which is hosted by the BIG-IP appliance. The solution is for several customers. Each having it's own landing uri. So we've got:

* portal.company.foo/customer1

* portal.company.foo/customer2

* etc.

When you visit correct portal you get your own custimized login screen. After succesfull login you are redirect, by a policy, to the correct Citrix Web interface:

* /Citrix/Xenapp-Cust1

* /Citrix/Xenapp-Cust2

* etc.

No problem so far. Works fine. The problem is that you change the uri in the webinterface site. So Customer1 can browse to the site of customer2.

To prevent that from happening I created the following script:

when HTTP_REQUEST {
    if {[string tolower [HTTP::uri]] starts_with "/citrix/xenapp"} {
        if {[HTTP::cookie exists LastMRH_Session]} {
            set lstURI [split [HTTP::uri] /]
            lset lstURI 2 [table set -excl [HTTP::cookie value LastMRH_Session]-myInitialUri [lindex $lstURI 2] 86400]
            HTTP::uri [join $lstURI /]
        } else {
            log local0. "No cookie called LastMRH_Session yet."
        }
    }
}

Works fine too. But it only works if you uri sthat tarts with /citrix/xenapp. But What if you type something else? The reason for me to put in the IF statement is I only want record a correct initial uri.

So my question is: can this be done more elegant and robust? I'm fairly new with this product. Thanks for your help.

Richard

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security

2 Replies

  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus
    May 01, 2015

    Instead of using URI to determine which portal site to go to, why don't you use a different host names?

     

    "customer".portal.com where "customer" is the name of the customers company, you can still have a single virtual host and have both host names point to the same IP address. Set the cookie to the same value as the host name when they originally connected and then just compare the value of that cookie to the current host name in the HTTP request.

     

  • Richard_'s avatar
    Richard_
    Icon for Altocumulus rankAltocumulus
    May 01, 2015

    Hi Giltjr,

     

    Thanks for your idea. Initially I wanted different host names, but that would require a wildcard certificate, which cost more than a regular certificate. But it's much more convenient, that's for sure. Unfortunately I'm stuck with a single host name.

     

    The solution of using cookies is nice alternative for storing the original connection location. I'll keep that in mind.

     

    Thanks.