Forum Discussion
winddlover_9858
Nimbostratus
Jan 14, 2011iRule for access VIP based on user name
I am configuring VIP and implementing basic authentication method over SSL. I want to restricte the VIP access based on user account.
In other words, only specific user is allowed to acce...
hoolio
Cirrostratus
Jan 14, 2011Hi,
Here is a 9.x example which prompts the user to enter credentials if valid credentials haven't already been provided. If an auth header has a value, that value is checked against a single base64 encoded user:pass.
http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/13423/afv/topic/Default.aspx27783
You should be able to modify this for 10.x to support your requirements. Reply here if you want more detailed suggestions.
Or if you just want to check every request for a user name which is defined in a string datagroup, you could use something like this:
when HTTP_REQUEST {
log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to \
[HTTP::host][HTTP::uri] with auth value: [HTTP::header value Authorization]"
Check if there is an authorization header with a length
if { [HTTP::header value "Authorization"] eq ""}{
No Auth header. Send a 401 to request credentials? Or a 403 to block the request?
} else {
Auth header had a value, so check if the username exists in a datagroup of valid users
if { [class match [HTTP::username] equals my_valid_usernames_class] }{
valid request. Do something? Or just allow request to go to virtual server's default pool.
} else {
Invalid username. Send a 401 to request credentials? Or a 403 to block the request?
}
}
}
Aaron
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects