Forum Discussion
NimbostratusNeed to allow request only if application opens from parent portal
Dear Experts,
Please suggest with an iRule, where application access only to be allowed if app is being accessed from authenticated portal only. Referer header can be checked on first request. How to allow on subsequent requests without referer header.
Suggest any possible way to protect the application from internet. Application cannot have any kind of authentication, but direct access needs to be blocked from internet.
14 Replies
Yann_Desmarest_Nacreous
Hi,
You can use ASM module to force url access through a specific workflow "URL Flow".
You can use APM and extend the session cookie domain to fit both apps. Then, with an irule, you can check for valid session and grant access or deny/redirect user.
Not sure if this is good in terms of security but you can use an irule to identify the referer and provide a cookie, here is the logic :
when HTTP_REQUEST { set insert_cookie 0 if { !([HTTP::cookie exists MRH]) } { reject } if { [HTTP::header Referer] eq "https://myportal.com/index.html" } { set insert_cookie 1 } } when HTTP_RESPONSE { if { [info exists insert_cookie] and $insert_cookie == 1 } { HTTP::cookie insert MRH value "some verifiable encrypted string" } }That's the concept, then you should then add some security around the cookie value generation
spalandeThanks Yann for the response. will above iRule add MRH cookie in all subsequent requests of (VIP2) or only initial requests from the authenticated portal? Only initial request will have referer header I need to allow only request is coming from authenticated portal (VIP1). VIP1 is having form based authentication and doesn't have APM configured. I have ASM module running as well. Will that be also helpful in my case?- Yann_Desmarest_ASM can help, you can try to configure "URL Flow" setting but after thinking it will not enough to secure access
- Yann_Desmarest_What is the domain of the session cookie of the VIP1 ? if you have vip1.example.com and vip2.example.com, you can change the cookie domain on VIP1 and grab it in VIP2.
Yann_DesmarestCirrus
Hi,
You can use ASM module to force url access through a specific workflow "URL Flow".
You can use APM and extend the session cookie domain to fit both apps. Then, with an irule, you can check for valid session and grant access or deny/redirect user.
Not sure if this is good in terms of security but you can use an irule to identify the referer and provide a cookie, here is the logic :
when HTTP_REQUEST { set insert_cookie 0 if { !([HTTP::cookie exists MRH]) } { reject } if { [HTTP::header Referer] eq "https://myportal.com/index.html" } { set insert_cookie 1 } } when HTTP_RESPONSE { if { [info exists insert_cookie] and $insert_cookie == 1 } { HTTP::cookie insert MRH value "some verifiable encrypted string" } }That's the concept, then you should then add some security around the cookie value generation
- spalandeThanks Yann for the response. will above iRule add MRH cookie in all subsequent requests of (VIP2) or only initial requests from the authenticated portal? Only initial request will have referer header I need to allow only request is coming from authenticated portal (VIP1). VIP1 is having form based authentication and doesn't have APM configured. I have ASM module running as well. Will that be also helpful in my case?
- Yann_DesmarestASM can help, you can try to configure "URL Flow" setting but after thinking it will not enough to secure access
- Yann_DesmarestWhat is the domain of the session cookie of the VIP1 ? if you have vip1.example.com and vip2.example.com, you can change the cookie domain on VIP1 and grab it in VIP2.
- Yann_Desmarest
Formatted example :
on VIP1 :
when HTTP_RESPONSE { if { [HTTP::cookie exists "MySessionCookie"] } { HTTP::cookie domain "MySessionCookie" "example.com" } }on VIP2 :
when HTTP_REQUEST { if { ([HTTP::cookie exists "MySessionCookie"]) } { insert code to add cookie validation } else { HTTP::redirect "https://vip1.example.com/login" } }But clearly, it would be easier to use APM module and put an access profile with multi-domain sso on both VIP and configure Web SSO for VIP1.
- Yann_DesmarestHi, Did you had a chance to test this scenario ?
- spalande
Dear Yann,
I ended up with configuring APM for this with local user database for vip2 fo secure the access
- Yann_Desmarest_
Formatted example :
on VIP1 :
when HTTP_RESPONSE { if { [HTTP::cookie exists "MySessionCookie"] } { HTTP::cookie domain "MySessionCookie" "example.com" } }on VIP2 :
when HTTP_REQUEST { if { ([HTTP::cookie exists "MySessionCookie"]) } { insert code to add cookie validation } else { HTTP::redirect "https://vip1.example.com/login" } }But clearly, it would be easier to use APM module and put an access profile with multi-domain sso on both VIP and configure Web SSO for VIP1.
- Yann_Desmarest_Hi, Did you had a chance to test this scenario ?
- spalande
Dear Yann,
I ended up with configuring APM for this with local user database for vip2 fo secure the access
