Forum Discussion

erik_howl_25558's avatar
erik_howl_25558
Icon for Nimbostratus rankNimbostratus
Mar 27, 2007

HTTP Authentication

Dear all,     Can LTM use irules to perform HTTP authentication based on local .htaccess / .htpasswd (like in Apache)?     Many thanks.  
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 12, 2008
You can check the wikipedia page (Click here) for details on basic HTTP auth. You could use a rule to check for the authorization header, split the header value, base64 decode the user:pass and verify it's in an allowed list. If not, send back a 401 response.

If it's just one user:pass that you need to support, you could base64 encode the value and check for that rather than base64 decoding every value in the request. If you have multiple logins, you could add them to a datagroup.

Example request with an authorization header:

GET /private/index.html HTTP/1.0

Host: localhost

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Here is an untested example: 

  
  when RULE_INIT {  
    
      Set the single username and password here delimited with a colon  
     set ::global_user_pass "testuser:testpass"  
    
      Base64 encode the user:pass  
     set ::global_user_pass [b64encode $::global_user_pass]  
    
     log local0. "Encoded \$::global_user_pass: $::global_user_pass "  
  }  
  when HTTP_REQUEST {  
    
     log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to \ 
       [HTTP::host][HTTP::uri] with auth value: [HTTP::header value Authorization]"  
    
      Check if there is an authorization header with a length  
     if {[string length [HTTP::header value "Authorization"]]}{  
    
         Get the second field from the header value  
        set encoded_user_pass [getfield [HTTP::header value "Authorization"] " " 2]  
        log local0. "[IP::client_addr]:[TCP::client_port]: Parsed Authorization value $encoded_user_pass"  
    
         Check the encoded user:pass from the request against the global user:pass  
        if {$encoded_user_pass eq $::global_user_pass}{  
    
            Credentials were okay, so exit this rule (don't send a 401 response  
           log local0. "[IP::client_addr]:[TCP::client_port]: credentials were valid."  
   return  
        } 
     } 
      If we got here, the request didn't contain a valid user:pass, so send a 401 response to prompt user for credentials.  
      The format for HTTP::respond is the content and then space delimited header name followed by the header value  
     HTTP::respond 401 content {        "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">  
              
                
                Error  
                  
                
              401 Unauthorised.  
            } WWW-Authenticate "Basic realm=\"Secure Area\""  
    
     log local0. "[IP::client_addr]:[TCP::client_port]: Sending 401 response."  
  }

Once you're done testing, you could remove the intermediate variable, $encoded_user_pass and disable the logging.

Aaron