Forum Discussion
2 Replies
Sort By
Better not to re-invent the wheel, especially when it comes to security. Is there any reason you can't use HTTP Basic auth or Client Certificate auth, to name a few examples?
- Kevin_StewartEmployee
Well, yes of course. There's not much you really can't do with iRules (the F5 programmability API), so such a thing would be extremely reasonable.
when HTTP_REQUEST { if { [HTTP::header exists MYAUTHHDR] } { do something with that header } }
The real question, however, is how you would implement such a thing securely. HTTP headers don't usually provide any sort of challenge-response mechanism, so you'd have to create such a thing, both in iRules AND within the client from scratch, and you'd have to make sure that a) the communication was encrypted, and b) that it is (hopefully) not spoofable.