Forum Discussion
david78
Nimbostratus
NimbostratusiRule doesn't work after upgrade :(
hello,
After upgrade v11.0 to v11.1 this iRule don't work.
there is no error message, but the client is redirected to / vdesk/hangup.php3
The first queries are ok, but not all.
when HTTP_REQUEST {
for no redirect to /my.policy
HTTP::header insert "clientless-mode" 1
if { [ACCESS::policy result] ne "allow" } {
if { [HTTP::header Authorization] eq "" } {
HTTP::respond 401 WWW-Authenticate Basic realm=\"Unspecified\"" Connection close
return
} else {
set username [HTTP::username]
set password [HTTP::password]
}
}
}
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "no_redirect" } {
if { [info exists username] } {
ACCESS::session data set session.logon.last.username $username
ACCESS::session data set session.logon.last.password $password
}
}
}
when ACCESS_POLICY_COMPLETED {
if { [ACCESS::session data get session.ldap.last.authresult] eq "0" } {
ACCESS::respond 401 content "Error: Failure in Authentication" Connection close
return
}
]
thx
MiLK_MaNHi david,
Are you aware of the HTTP 401 agent within APM? You can use this instead of iRules to issue a HTTP 401 with WWW-Authenticate Basic (and/or Negotiate, but not relevant to what you are doing). This option was introduced in v11.0.0.- I don't see anything that obviously changed in 11.1 that should be causing problems for you. Time to start adding some log statements in different sections of the rule to see where things are actually failing. If there are no errors being dumped to the log, you need to start tracking down which parts are not successfully executing on the connections that are being dropped.
Colin - It possible that some ACCESS commands do not work in HTTP events like they used to. Use this irule, it should work in both versions:
when RULE_INIT {
set static::ACCESS_APM_LOG_PREFIX "01490000:3:"
set static::HttpRealm ""
}
when HTTP_REQUEST {
set http_hdr_auth [HTTP::header Authorization]
if { [ string first Basic $http_hdr_auth ] == -1 } {
log -noname accesscontrol.local1.debug "$static::ACCESS_APM_LOG_PREFIX Not basic authentication. Ignore received auth header"
set http_hdr_auth ""
}
if { $http_hdr_auth == "" } {
log -noname accesscontrol.local1.debug "$static::ACCESS_APM_LOG_PREFIX No/Empty Auth header"
HTTP::respond 401 content $static::actsync_401_http_body WWW-Authenticate "Basic realm=\"$static::HttpRealm\"" Connection Close
return
}
set username [HTTP::username]
set password [HTTP::password]
}
when ACCESS_SESSION_STARTED {
if { [ info exists username ] } {
ACCESS::session data set session.logon.last.username $username
ACCESS::session data set session.logon.last.password $password
}
} 
david78double post ...- david78Hi,
Milk_man, i can't use the HTTP 401 agent within APM because some client don't support the redirection to /my.policy that APM need to authenticate.
however, i rewrite the HTTP_REQUEST layer and it's work now in v11.1 :D
Look my new irule :
when HTTP_REQUEST {
if { [ACCESS::policy result] eq "deny" } {
HTTP::header insert "clientless-mode" 1
set username [HTTP::username]
set password [HTTP::password]
HTTP::cookie remove LastMRH_Session
HTTP::cookie remove MRHSession
HTTP::header remove Authorization
} elseif { [ACCESS::policy result] ne "allow" } {
HTTP::header insert "clientless-mode" 1
if { [HTTP::header Authorization] eq "" } {
HTTP::respond 401 WWW-Authenticate Basic realm=\"Unspecified\" Connection close
return
} else {
set username [HTTP::username]
set password [HTTP::password]
HTTP::header remove Authorization
}
}
}
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "no_redirect" } {
if { [info exists username] } {
ACCESS::session data set session.logon.last.username $username
ACCESS::session data set session.logon.last.password $password
}
}
}
when ACCESS_POLICY_COMPLETED {
if { [ACCESS::session data get session.ldap.last.authresult] eq "0" } {
ACCESS::respond 401 content "Error: Failure in Authentication" Connection close
return
}
thank all
