Forum Discussion
NimbostratusiRule request for APM
Hello all.
I'm looking for an irule that will force the session through an APM profile based on the URL that is being accessed even if an APM profile has already been processed.
Currently i have Multiple APM profiles configured on multiple virtual servers. The APM profiles in question have an F5 Login page that is required to pass AD auth and then SSO credential mapping. There is logic in the Access Policy to exclude certain Landing URI's from having to log in.
The need for this comes in when someone hits the a page that bypasses the login page, then in the same session accesses something that does require authentication. It seems to be bypassing the APM policy and not forcing the F5 login page along with sso credential mapping.
I'm new to writing iRules, any help would be appreciated.
6 Replies
- Kevin_Stewart
Employee
This is a somewhat the reverse of what you're doing now, but give this a shot:
when HTTP_REQUEST { if { ( [HTTP::cookie exists MRHSession] ) or ( [class match [string tolower [HTTP::uri]] starts_with my_private_uris] ) } { return } else { ACCESS::disable return } }where "my_private_uris" would be a string-based data group containing the root path of all of the private URIs (the URIs that require an access policy). Example:
ltm data-group internal /Common/my_private_uris { records { /private { } /secure { } /finance { } /admin { } } type string }The idea here is that as long as the user 1) hasn't accessed one of these URI patterns, and 2) doesn't already have an active APM session, disable the policy for this request.
sbrudolf1_14757Thanks, i believe this will work for me.
- sbrudolf1_14757
Kevin, Everything seems to work but the data group list. I am using a datagroup list and filling in the string with the /uri but it doesn't seem to be picking up on the traffic.
I did confirm this works when using URI's directly in the irule, below is what i have confirmed working.
when HTTP_REQUEST { if { ( [HTTP::cookie exists MRHSession] ) or ( [string tolower [HTTP::uri]] starts_with "/formstest" ) } { return } else { ACCESS::disable return } }
- sbrudolf1_14757
I am using 11.4, i tried both with and without something in the value field. Neither of them seem to be working.
- Kevin_Stewart
Very odd. How about some debugging:
when HTTP_REQUEST { log local0. "incoming URI = [HTTP::uri]" if { ( [HTTP::cookie exists MRHSession] ) or ( [class match [string tolower [HTTP::uri]] starts_with my_private_uris] ) } { if { [HTTP::cookie exists MRHSession] } { log local0. "MRHSession cookie exists" } if { [class match [string tolower [HTTP::uri]] starts_with my_private_uris] } { log local0. "URI found in data group" } return } else { log local0. "Access disabled for this request" ACCESS::disable return } } - sbrudolf1_14757
I believe i found the error.. Now what to make of it. The "my_private_uris" is named "apm_f5test_include_irule" I have three different URI's in there.
Fri May 23 14:16:07 EDT 2014 info f5-cdc tmm7[10341] Rule /Common/apm_f5test_include_irule : MRHSession cookie exists
Fri May 23 14:16:07 EDT 2014 info f5-cdc tmm7[10341] Rule /Common/apm_f5test_include_irule : incoming URI = /
(This appeared three times) - Fri May 23 14:07:11 EDT 2014 err f5-cdc mcpd[6599] 01070151 Rule [/Common/apm_f5test_include_irule] error: /Common/apm_f5test_include_irule:3: error: [wrong args][class match [string tolower [HTTP::uri]] apm_f5test_include_dglist]
