For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vaahtera's avatar
vaahtera
Icon for Nimbostratus rankNimbostratus
Nov 05, 2019

HSSR sideband connection for querying LDAP not working

I'm having this issue, that i can't get the sideband connection to work. Code is like this:

 

when HTTP_REQUEST {
  
  set apikey [URI::query [HTTP::uri] api-key]
  log local0. $apikey
 
 
  if {  $apikey eq "" } {
    log local0. "apikey is empty, redirecting to another virtual"
    virtual test-internal
  } else {
  log local0. "We got the apikey and begin HSSR connection"
    set status [call /Common/HSSR::http_req -virt "/test-internal-api" \
                 -uri "http://test.com/[URI::encode $apikey]" \
                 -tag "custom" -key $apikey -rbody rbody]
 
 
    if {($status == 200) && ($rbody ne "NOT_FOUND")} {
    log local0. "HSSR query successful, redirecting traffic to pool"
    pool test-pool
    return
    }
 }
}

 

The test-internal-api virtual is assigned with access policy that has a simple LDAP query and a iRule that gets the reply for the sideband query.

 

Now when the user goes to that virtual where the iRule is assigned, ltm logs the following lines:

 

Nov 5 15:27:59 f5test01 info tmm1[17166]: Rule /Common/APIKEY <HTTP_REQUEST>: 010101-123N

Nov 5 15:27:59 f5test01 info tmm1[17166]: Rule /Common/APIKEY <HTTP_REQUEST>: We got the apikey and begin HSSR connection

Nov 5 15:27:59 f5test01 err tmm1[17166]: 01220001:3: TCL error: /Common/APIKEY <HTTP_REQUEST> - can't read "sts": no such variable   while executing "set e "connect to ${dest} '${server}' fails: ${sts} (${conn})""  (iRule proc "/Common/HSSR::http_req") (line 430)   invoked from within "call /Common/HSSR::http_req -virt "/test-internal-api" -uri "http://test.com/" -tag "custom" -key $apikey -r..."   invoked from within "if { $apikey eq "" } {   log local0. "apikey is empty, redirecting to another virtual"   virtual test-internal..."

 

What is that sts and where should it come from? No matter what i do to the call, the error is the same...

application delivery
BIG-IP Access Policy Manager (APM)
iRules

1 Reply

  • vaahtera's avatar
    vaahtera
    Icon for Nimbostratus rankNimbostratus
    Nov 06, 2019

    Ok, got this a bit further. I was missing the /Common before the virtual server in the call. But now as the another virtual has this iRule code, it never get's to the ACCESS_POLICY_COMPLETED:

     

    when HTTP_REQUEST {
 log local0. "Got http request to internal virtual"
 set apikey ""
 if {[HTTP::path] starts_with "/"} {
  regexp {/([^/]+)$} [HTTP::path] junk x
  set apikey [URI::decode $x]
 }
 
}
 
when ACCESS_SESSION_STARTED {
 if {$apikey ne ""} {
 log local0. "Access session started on internal virtual"
  ACCESS::session data set session.custom.apikey $apikey
 }
}
 
when ACCESS_POLICY_COMPLETED {
 set reply "NOT_FOUND"
 if {[ACCESS::session data get session.ldap.last.queryresult] == 1} {
  set reply [ACCESS::session data get session.ldap.last.attr.apikey]
 }
 log local0. "Access session policy completed with reply: $reply"
 ACCESS::respond 200 content $reply Content-Type "text/plain" Connection close
}

    The access policy attached to this internal virtual contains only one LDAP query that ends in deny no matter what the query result is.

     

    What am i missing here?