Forum Discussion

Giuseppe_Casabl's avatar
Giuseppe_Casabl
Icon for Nimbostratus rankNimbostratus
Dec 12, 2008

how to remove Authorization http header

Hi

 

I'm testing the IRule functionality. I do radius authentication of the virtual server and then the request is passing to a pool. Now I got a Error 500 because the Authorization header is set. The server doesn't accept the authorization header. Can I remove the authorization header when the request is passing to the pool?

 

Could you provide me an example ?

 

 

Many thanks

 

 

Giuseppe
  • Hi Giuseppe,

     

     

    I think in the HTTP Profile you could use the Request Header Erase option.

     

     

    Regards

     

     

    Jürg
  • Hi Juerg

     

    I already tried to remove the header in the http profile. The problem is, that when I remove the authorization header then the LTM doesn't send my request to the pool because it means that the authentication was not successfull. What I want to do is remove the authorization header only from the LTM to the backend. From the client to the LTM the authorization header should remain.

     

     

    Ciaoooooo
  • Hi Giuseppe,

    The HTTP profile configuration for adding/removing headers is performed before HTTP_REQUEST is triggered. The auth header is read in default HTTP_REQUEST event (priority 500). So that's why the profile option to remove the auth header would prevent the authorization from working.

    You can use an iRule with a priority (Click here) set to greater than the default of 500 to remove the auth header after the auth iRule uses it:

      
       when HTTP_REQUEST priority 501 {   
          
           Remove the Authorization header after the system authorization iRule runs (at priority 500)   
          if {[HTTP::header exists Authorization]}{   
          
             HTTP::header remove Authorization   
          }   
       }   
       

    Aaron
  • Hi Hollio

     

    I tried but it doesn't work. Our clients must first authenticate to the ltm with radius authentication (works well) then when they are authenticated they must authenticate theirself to the server. The connection is ssl from the Client to the LTM and ssl from the LTM to the server. When I try to connect the server response with a 500 Error Code. I tested the all thing with an apache reverse proxy and I have seen that the reverse proxy doesn't pass the authentication from the radius authentication to the server, so it works.
  • With the above rule, do you see that the Authorization header is removed from the request after the Radius authentication is performed?

     

     

    Aaron
  • Hi Giuseppe,

     

     

    Check out "Serverside" command to remove the Header only in the direction to the server..

     

     

    Jürg
  • So using this iRule will remove the Authroization Header to the Backend System.

     

     

    But, after Authenticating on the Backend it should not be removed......

     

    So we need something else to take care on. So this is not really the whole solution...

     

     

     

    when HTTP_REQUEST priority 501 {

     

    Remove the Authorization header after the system authorization iRule runs (at priority 500)

     

    if {[HTTP::header exists Authorization]} {

     

    [serverside {HTTP::header remove Authorization}]}

     

    }

     

     

    Regards

     

     

    Jürg
  • How I created the iRule based on _sys_auth_radius

    What it will do is adding a Cookie "Welcome" to the response when Authentication on BIG-IP was successful.

    If Cookie exists no further Authentication takes place on the BIG-IP and the Request is forwaded to the destination after (Authentication Header is removed)

    when HTTP_REQUEST {  
      set doit "bad"  
      if { not [ HTTP::cookie exists "Welcome"] } {  
      set doit "bad"  
              if {not [info exists tmm_auth_http_sids(radius)]} {  
                  set tmm_auth_sid [AUTH::start pam default_radius]  
                  set tmm_auth_http_sids(radius) $tmm_auth_sid  
                  if {[info exists tmm_auth_subscription]} {  
                      AUTH::subscribe $tmm_auth_sid  
                  }  
              } else {  
                  set tmm_auth_sid $tmm_auth_http_sids(radius)  
              }  
              AUTH::username_credential $tmm_auth_sid [HTTP::username]  
              AUTH::password_credential $tmm_auth_sid [HTTP::password]  
              AUTH::authenticate $tmm_auth_sid  
        
              if {not [info exists tmm_auth_http_collect_count]} {  
                  HTTP::collect  
                  set tmm_auth_http_successes 0  
                  set tmm_auth_http_collect_count 1  
              } else {  
                  incr tmm_auth_http_collect_count  
              }  
          }   else {  
         HTTP::header remove Authorization  
       }  
      }  
        
          when AUTH_RESULT {  
              if {not [info exists tmm_auth_http_sids(radius)] or \  
                  ($tmm_auth_http_sids(radius) != [AUTH::last_event_session_id]) or \  
                  (not [info exists tmm_auth_http_collect_count])} {  
                    
              }  
              if {[AUTH::status] == 0} {  
                  incr tmm_auth_http_successes  
                  set doit "ok"  
                  }  
               If multiple auth sessions are pending and  
               one failure results in termination and this is a failure  
               or enough successes have now occurred  
              if {([array size tmm_auth_http_sids] > 1) and \  
                  ((not [info exists tmm_auth_http_sufficient_successes] or \  
                   ($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {  
                   Abort the other auth sessions  
                  foreach {type sid} [array get tmm_auth_http_sids] {  
                      unset tmm_auth_http_sids($type)  
                      if {($type ne "radius") and ($sid != -1)} {  
                          AUTH::abort $sid  
                          incr tmm_auth_http_collect_count -1  
                      }  
                  }  
              }  
               If this is the last outstanding auth then either  
               release or respond to this session  
              incr tmm_auth_http_collect_count -1  
              if {$tmm_auth_http_collect_count == 0} {  
                  unset tmm_auth_http_collect_count  
                  if { [AUTH::status] == 0 } {  
                  HTTP::release  
                  } else {  
                      HTTP::respond 401  
                  }  
              }  
          }  
        
      when HTTP_RESPONSE {  
        if {not [ HTTP::cookie exists "Welcome"] } {  
        if { $doit eq "ok"} {    
      HTTP::cookie insert name "Welcome" value [IP::client_addr]  
        log local0. "cookie please" }    
       }}