Forum Discussion

david78's avatar
david78
Icon for Nimbostratus rankNimbostratus
Dec 22, 2011

iRule doesn't work after upgrade :(

hello,

 

 

After upgrade v11.0 to v11.1 this iRule don't work.

 

there is no error message, but the client is redirected to / vdesk/hangup.php3

 

The first queries are ok, but not all.

 

 

 

 

 

when HTTP_REQUEST {

 

for no redirect to /my.policy

 

HTTP::header insert "clientless-mode" 1

 

 

 

if { [ACCESS::policy result] ne "allow" } {

 

if { [HTTP::header Authorization] eq "" } {

 

HTTP::respond 401 WWW-Authenticate Basic realm=\"Unspecified\"" Connection close

 

return

 

} else {

 

set username [HTTP::username]

 

set password [HTTP::password]

 

}

 

}

 

}

 

 

 

 

 

when ACCESS_POLICY_AGENT_EVENT {

 

if { [ACCESS::policy agent_id] eq "no_redirect" } {

 

if { [info exists username] } {

 

ACCESS::session data set session.logon.last.username $username

 

ACCESS::session data set session.logon.last.password $password

 

}

 

}

 

}

 

 

 

when ACCESS_POLICY_COMPLETED {

 

if { [ACCESS::session data get session.ldap.last.authresult] eq "0" } {

 

ACCESS::respond 401 content "Error: Failure in Authentication" Connection close

 

return

 

}

 

]

 

 

 

 

 

 

 

thx

 

 

  • Hi david,

     

     

    Are you aware of the HTTP 401 agent within APM? You can use this instead of iRules to issue a HTTP 401 with WWW-Authenticate Basic (and/or Negotiate, but not relevant to what you are doing). This option was introduced in v11.0.0.

     

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    I don't see anything that obviously changed in 11.1 that should be causing problems for you. Time to start adding some log statements in different sections of the rule to see where things are actually failing. If there are no errors being dumped to the log, you need to start tracking down which parts are not successfully executing on the connections that are being dropped.

     

     

    Colin
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    It possible that some ACCESS commands do not work in HTTP events like they used to. Use this irule, it should work in both versions:

     

     

    when RULE_INIT {

     

    set static::ACCESS_APM_LOG_PREFIX "01490000:3:"

     

    set static::HttpRealm ""

     

    }

     

     

     

    when HTTP_REQUEST {

     

     

     

     

    set http_hdr_auth [HTTP::header Authorization]

     

    if { [ string first Basic $http_hdr_auth ] == -1 } {

     

    log -noname accesscontrol.local1.debug "$static::ACCESS_APM_LOG_PREFIX Not basic authentication. Ignore received auth header"

     

    set http_hdr_auth ""

     

    }

     

     

    if { $http_hdr_auth == "" } {

     

    log -noname accesscontrol.local1.debug "$static::ACCESS_APM_LOG_PREFIX No/Empty Auth header"

     

     

    HTTP::respond 401 content $static::actsync_401_http_body WWW-Authenticate "Basic realm=\"$static::HttpRealm\"" Connection Close

     

    return

     

    }

     

     

    set username [HTTP::username]

     

    set password [HTTP::password]

     

     

    }

     

     

     

    when ACCESS_SESSION_STARTED {

     

    if { [ info exists username ] } {

     

    ACCESS::session data set session.logon.last.username $username

     

    ACCESS::session data set session.logon.last.password $password

     

    }

     

    }
  • Hi,

     

     

    Milk_man, i can't use the HTTP 401 agent within APM because some client don't support the redirection to /my.policy that APM need to authenticate.

     

     

    however, i rewrite the HTTP_REQUEST layer and it's work now in v11.1 :D

     

     

    Look my new irule :

     

     

    when HTTP_REQUEST {

     

    if { [ACCESS::policy result] eq "deny" } {

     

     

    HTTP::header insert "clientless-mode" 1

     

     

    set username [HTTP::username]

     

    set password [HTTP::password]

     

     

    HTTP::cookie remove LastMRH_Session

     

    HTTP::cookie remove MRHSession

     

     

    HTTP::header remove Authorization

     

     

    } elseif { [ACCESS::policy result] ne "allow" } {

     

     

    HTTP::header insert "clientless-mode" 1

     

     

    if { [HTTP::header Authorization] eq "" } {

     

    HTTP::respond 401 WWW-Authenticate Basic realm=\"Unspecified\" Connection close

     

    return

     

    } else {

     

    set username [HTTP::username]

     

    set password [HTTP::password]

     

     

    HTTP::header remove Authorization

     

    }

     

    }

     

    }

     

     

    when ACCESS_POLICY_AGENT_EVENT {

     

     

    if { [ACCESS::policy agent_id] eq "no_redirect" } {

     

     

    if { [info exists username] } {

     

     

    ACCESS::session data set session.logon.last.username $username

     

     

    ACCESS::session data set session.logon.last.password $password

     

     

    }

     

     

    }

     

     

    }

     

     

     

     

     

    when ACCESS_POLICY_COMPLETED {

     

     

    if { [ACCESS::session data get session.ldap.last.authresult] eq "0" } {

     

     

    ACCESS::respond 401 content "Error: Failure in Authentication" Connection close

     

     

    return

     

     

    }

     

     

     

    thank all