For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ed_27995's avatar
Ed_27995
Icon for Nimbostratus rankNimbostratus
May 28, 2008

iRule to set Fallback Host based on user ID

Hi All,

 

 

Extremely new to iRules and TCL scripting. I have created the code for an iRule, syntax checks as correct, as follows:

 

 

when HTTP_REQUEST {

 

if {[findstr [HTTP::uri] "webctid=" 8 2] == "83"}

 

{HTTP::fallback "http://web_address_here/page.asp"}

 

elseif {[findstr[HTTP::uri] "webctid=" 8 2] == "95"}

 

{HTTP::fallback "http://web_address_here/page.asp"}

 

}

 

 

The intent of the rule is to redirect student accounts, identified by an id starting with "83" or "95" to a maintenance page explaining why access is restricted, while allowing faculty, administrator, and other accounts normal access.

 

 

Questions I have are:

 

 

- Does this look like it'll work?

 

 

- Will the 2 findstr and comparison operations introduce a lot of latency into the BigIP operations?

 

 

- Is there a better way to do this? Maybe a single digit extract and a "string is digit" comparison?

 

 

Thanks!

 

 

Ed
application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 28, 2008
    Hi Ed,

     

     

    A fallback host would only be used if the pool is down. If you always want to redirect the clients which match the URI logic, you should use HTTP::redirect (Click here) or HTTP::respond (Click here) instead.

     

     

    Is webctid a parameter in the query string or a string in the path? If it's a URI parameter, you could parse the value with [URI::query [HTTP::uri] "parameter_name"]. Your string method might be faster though.

     

     

    Also, is there anything stopping a malicious user from changing or removing the string to avoid being redirected?

     

     

    Aaron
  • Ed_27995's avatar
    Ed_27995
    Icon for Nimbostratus rankNimbostratus
    May 29, 2008
    Hi Aaron,

     

     

    Thanks very much for your reply!

     

     

    The HTTP::redirect is the better way to accomplish the redirection- I am amending my code now.

     

     

    Some more info regarding the intent here- the BigIPs serve an online class system, and student access to classes are restricted when class is not in session. I'll be locking the student accounts in the app, but the login attempts result in a "problem logging you in, contact server administrator" message, which generates a lot of angst .

     

     

    It seems more elegant to redirect attempted student logins to a page explaining access is restricted due to maintenance and will be restored at the beginning of the next academic term. If someone were to figure out a way to send a web request bypassing the redirection, they will simply see one of the "unfriendly" error messages.

     

     

    The webctid is one of the account credentials being passed during a logon attempt, and seems to be the best (only) way to differentiate accounts and implement the redirection. Student accounts are all numeric, so I suppose I could just check the leading character, and if it's a digit then impose the redirection. That would mean one findstr operation and one comparison.

     

     

    Ed