Forum Discussion

winddlover_9858's avatar
Icon for Nimbostratus rankNimbostratus
Jan 14, 2011

iRule for access VIP based on user name

I am configuring VIP and implementing basic authentication method over SSL. I want to restricte the VIP access based on user account.



In other words, only specific user is allowed to access this VIP, for all the other users, just block their access.



I believe it can be achieved by creating propre iRule based on http:username, but I am unable to find any decent reference or sample to do it.



There is 10 user name in the check list. Can someome give me a sample how to do it?



Thanks in advance



3 Replies

  • Hi,

    Here is a 9.x example which prompts the user to enter credentials if valid credentials haven't already been provided. If an auth header has a value, that value is checked against a single base64 encoded user:pass.

    You should be able to modify this for 10.x to support your requirements. Reply here if you want more detailed suggestions.

    Or if you just want to check every request for a user name which is defined in a string datagroup, you could use something like this:

    when HTTP_REQUEST {  
       log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to \ 
         [HTTP::host][HTTP::uri] with auth value: [HTTP::header value Authorization]"  
        Check if there is an authorization header with a length  
       if { [HTTP::header value "Authorization"] eq ""}{
           No Auth header.  Send a 401 to request credentials?  Or a 403 to block the request?
       } else {
           Auth header had a value, so check if the username exists in a datagroup of valid users
          if { [class match [HTTP::username] equals my_valid_usernames_class] }{
              valid request.  Do something?  Or just allow request to go to virtual server's default pool.
          } else {
              Invalid username.  Send a 401 to request credentials?  Or a 403 to block the request?

  • Note that I'm assuming something else behind LTM would actually validate the password is correct for the given username in the latter example.



  • George wrote up that very thing back in September: Click Here