For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Adam_S's avatar
Adam_S
Icon for Altostratus rankAltostratus
May 16, 2019

irule response redirect entire host to external website if a loaded resource returns 401

I have a specific usecase here where we have a Tableau Server that has the dreaded /#/ in the url. As a result my tactic is to run an irule on loaded resources to determine if the /getSessionInfo res...
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
May 25, 2019

You can try the code below. This iRule needs a virtual server with a stream profile enabled. The iRule will inject some javascript that will check if a redirect is needed. If needed it will do the redirect. You may have to adjust it a bit.

 

when RULE_INIT {
    # insert custom javascript     
    set static::search_body {</body>}
    set static::replace_body {<script src="/401_redirect.js" defer></script></body>}
  
    # javascript that checks the redirect status every 5 seconds
    set static::script {
        function getStatus() {
            xmlhttp = new XMLHttpRequest();
            xmlhttp.open("GET", "/401_status.html", true);                  
            xmlhttp.timeout = 200;
            xmlhttp.onreadystatechange = function(){
                if(xmlhttp.readyState == 4 && xmlhttp.status == 200){
                    //console.log("received " + xmlhttp.responseText);
                    if(xmlhttp.responseText == "redirect is needed") {
                        window.location = "/401_redirect";
                    }
                }
            }
            xmlhttp.send();
        }
        getStatus()
        window.setInterval(getStatus, 5000);
    }
}
 
when HTTP_REQUEST {
    # Disable the stream filter by default   
    STREAM::disable 
 
    # LTM does not uncompress response content, so if the server has compression enabled
    # and it cannot be disabled on the server, we can prevent the server from
    # sending a compressed response by removing the compression offerings from the client
    HTTP::header remove "Accept-Encoding"
    
    log local0. "MARKER2: [HTTP::uri]"
    set uri [HTTP::uri]
    
    if { [HTTP::uri] equals "/401_redirect.js" } {
        HTTP::respond 200 content $static::script
    }
    
    if { [HTTP::uri] equals "/401_status.html" } {
        set status [ACCESS::session data get session.custom.redirect.status]
        if { [info exists "status"] && $status == 1 } {
            HTTP::respond 200 content "redirect is needed"
        } 
        else {
            HTTP::respond 200 content "redirect is not needed"
        }
    }
    
    if { [HTTP::uri] equals "/401_redirect" } {
        # redirect will be done in a moment, so set this to 0
        ACCESS::session data set session.custom.redirect.status 0
        
        set username  [ACCESS::session data get session.logon.last.username]
        HTTP::redirect "https://www.example.com/?user=$username"
    }
}
 
when HTTP_RESPONSE {   
    # Check if we're rewriting the response
    if { ([HTTP::header value Content-Type] contains "text") } {
        STREAM::expression "@$static::search_body@$static::replace_body@"
                STREAM::enable
    }
    
    if {$uri equals "/vizportal/api/web/v1/getSessionInfo"} {  #this works
        log local0. "MARKER3: $uri"
        if {[HTTP::status] equals "401"} { # this also works
            log local0. "MARKER3: [HTTP::status]"
            
            # redirect will be needed
            ACCESS::session data set session.custom.redirect.status 1
        }
    }
}