Forum Discussion

BP_11400's avatar
Icon for Nimbostratus rankNimbostratus
Jun 06, 2011

iRule auth http check

Hello! So we want to setup an iRule to hit an auth PHP script for every request, and based upon the return code either make the original request or drop them to a login page.



Psuedo code:




when http request{


if ( http.fetch( == 200)




else http redirect login.php






The only catch is to make sure the original request cookies get forwarded to the auth script.




I can't seem to find anything to make the http.fetch request. Any ideas would be greatly appreciated, thank you!


4 Replies

  • Hi BP,


    The iRules do not have that type of functionality - not yet at least. There is an indirect technique you can use but it won't be based a triggered event



    Non test example:



    1. Create an HTTP Monitor to monitor the auth PHP Script looking for the return code "200".


    2. Create a pool called Monitor AUTH_PHPCHECK_POOL which contains the web server(s) that contain the PHP script and associate the HTTP Monitor


    3. Then you could use the following iRULE on the virtual address that points to the REAL pool.



    when HTTP_REQUEST {
        if {[active_members AUTH_PHPCHECK_POOL] = 0 } {
             Log local0. "Redirect accepted because AUTH_PHPCHECK_POOL monitor failed"
             HTTP::redirect "http://[HTTP::host]/login.php"



    There are pro's and cons with this. The one con that comes to mind is you can check the auth php in realtime with respect the HTTP Request- since monitors are based on intervals You can lower to 1 second but that usually isn't recommended for monitoring.



    However, if you are looking to redirect any request based on a HTTP STATUS other then 200 then you can do the following



    when HTTP_RESPONSE {
      if { !([HTTP::status] == 200) } {
         HTTP::redirect "http://[HTTP::host]/login.php"
    This doesn't check the exact PHP script - it simply redirects you based on the website responding back with anything beyond a HTTP STATUS Code of 200.


    I hope this helps,


  • John_Alam_45640's avatar
    Historic F5 Account
    So there are two options, neither of which are for the novice.



    Option 1, use an APM, It can do the forwading and the login page. Version 10.2.1 is ideal for this. You have 10 free APM licenses. You will have to setup an APM policy with what we call "HTTP auth". It is a bit involved and difficult to describe here but, Devcentral has a lot of information on the APM as well as some examples.





    Option 2:



    with an I-Rule, allow the request to get to the server un-authenticated. When the server refuses the connection, you capture that in the HTTP_RESPONSE event. Since you are in the HTTP_RESPONSE event, you can then use the HTTP::retry command. This re-run the HTTP Request as if it just came from the client only this time you have set a flag that says "go to the PHP script". The "node" is set to point to your PHP script and the Request is modified to suit the script. You also save the original request in a varialble. When the response from the PHP script comes back, again you would be in HTTP_RESPONSE, this time, you modify the original request so that it is accepted by the server, issue the HTTP::retry again using the modified original request. THis time you have the proper cookie or flag and you will be forwarded normally.



    here is the HTTP::retry page, there are examples:




    Also search devcentral for HTTP::retry, there are many examples.


  • Deb had a fairly in depth example of this in an HTTP::retry article here:





  • "So there are two options, neither of which are for the novice. "



    I disagree. Exactly the kind of project for a novice to become a skilled iRuler.