Forum Discussion
NimbostratusLTM as a proxy asking username/password
Hi.
I´m involved to develop an irule in order to get LTM worked as a basic proxy server for vservers where irule was configured, asking for a username password in the same way you were being authenticated by a proxy server. We are going to use only one username/password, so it is not needed to pass these credentials to a external authentication system and they could be codified into irule code.
Basically I´m trying to verify if Proxy-Authorization header comes into HTTP request. If it is not into HTTP request, a 407 or 401 error is sended to client in order to ask for authentication. If Proxy-Authorization header is present, I try to get string after "Basic", decode it in Base64 to get "username:password" string, and finally obtain username and password into diferent variables to be compared with my username and password. If comparation is succesful, user is allowed to navigate into the web service. If not, it´s redirected to a sorry page.
Well, it doesn´t work. I don´t know the reason, but I don´t obtain traces into /var/log/ltm file, and browser ask me continously for username and password, even when I´m writing the right username/password. What am I doing wrong? Could you tell me what I have to change or modify in my irule to achieve my objective?
when HTTP_REQUEST {
if { not ([HTTP::header exists "Proxy-Authorization"]) } {
HTTP::respond 407 Proxy-Authenticate "BASIC realm=\"PROXY X\""
} else {
set proxyauth [lindex [split [HTTP::header value "Proxy-Authorization"] " "] 1]
set username [lindex [split [b64decode $proxyauth] ":"] 0 ]
set password [lindex [split [b64decode $proxyauth] ":"] 1 ]
log local0. "PROXY-AUTHORIZATION HEADER IS $proxyauth, USERNAME IS $username AND PASSWORD IS $password"
if {not ($username equals "useraaa" and $password equals "aaauser") } {
HTTP::redirect "http://sorrypage.aaaaa.com"
}
}
}4 Replies
Michael_JenkinsCirrostratus
Does your logging from the iRule show up at all in the LTM logs?
U_franco_117956Hi Michael.
I don´t see anything in /var/log/ltm file about log local0. trace, and Proxy-Authorization is present on HTTP request.
B.R.
- Michael_Jenkins
So what about if you add some more logging. Do you get anything then?
when HTTP_REQUEST { log local0. "Testing Proxy-Authorization" log local0. " Headers:" foreach name [HTTP::header names] { log local0. " ${name}: [HTTP::header value $name]" } if { not ([HTTP::header exists "Proxy-Authorization"]) } { log local0. " NO PROXY-AUTHENTICATE HEADER. Returning 407" HTTP::respond 407 Proxy-Authenticate "BASIC realm=\"PROXY X\"" } else { log local0. " PROXY-AUTHENTICATE HEADER exists." log local0. " Value: [HTTP::header value "Proxy-Authorization"]" set proxyauth [lindex [split [HTTP::header value "Proxy-Authorization"] " "] 1] set username [lindex [split [b64decode $proxyauth] ":"] 0 ] set password [lindex [split [b64decode $proxyauth] ":"] 1 ] log local0. " PROXY-AUTHORIZATION HEADER IS $proxyauth, USERNAME IS $username AND PASSWORD IS $password" if {not ($username equals "useraaa" and $password equals "aaauser") } { HTTP::redirect "http://sorrypage.aaaaa.com" } } } - U_franco_117956
Hi.
Thanks for your response.
I have solved my problem. I was asking for the wrong HTTP Header. I had to look for Authorization header, not Proxy-Authorization.
Finally this is my irule, and it works fine:
when HTTP_REQUEST { if { not ([HTTP::header exists "Authorization"]) } { HTTP::respond 401 WWW-Authenticate "BASIC realm=\"F5 BIGIP PROXY AUTH\"" } else { set proxyauth [lindex [split [HTTP::header value "Authorization"] " "] 1] set username [lindex [split [b64decode $proxyauth] ":"] 0 ] set password [lindex [split [b64decode $proxyauth] ":"] 1 ] log local0. "PROXY-AUTHORIZATION HEADER IS $proxyauth, USERNAME IS $username AND PASSWORD IS $password" if {not ($username equals "useraaa" and $password equals "aaauser") } { HTTP::respond 401 WWW-Authenticate "BASIC realm=\"F5 BIGIP PROXY AUTH\"" } } }
