For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_Lebel_53961's avatar
Tom_Lebel_53961
Icon for Nimbostratus rankNimbostratus
Dec 27, 2005

Need to pass the entire CGI collection

First off, be gentle, I'm a newbie.

 

 

We are installing BigIPs and moving many of our pre-existing web apps behind them. Many of our apps use variable fro the CGI collection, such as auth_user,script_name, server_name, etc. How do I write an iRule to pass these to the servers so the appplications can still use them?

 

 

Thank you.
application delivery
dev
devops
iRules

3 Replies

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Dec 27, 2005
    A majority of the CGI variables are pulled from the connection established and then converted into environment variables.

    You shouldn't have to do anything as the BIG-IP will transparently pass all HTTP headers through to your backend servers. There should be no change necessary to your web applications to access those CGI variables.

    Are you having a problem or are you just predicting possible issues that may come up?

    Here is a nice little script I use when testing CGI variables on a unix platform. Plop this in your backend server's CGI directory and try to access it. It will print out all environment variables passed into it.

    !/bin/sh
date=`date -u '+%a, %d %b %Y %H:%M:%S %Z'`
cat << EOF
Content-type: text/plain
Expires: $date
CGI printenv
EOF
echo 'Date:'
date
echo
echo 'Id:'
id
echo
echo 'Env:'
printenv
echo
if [ "$CONTENT_LENGTH" != "" ] ; then
    if [ "$CONTENT_LENGTH" -ne 0 ] ; then
    echo 'Input:'
    echo
    dd bs=1 count=$CONTENT_LENGTH
    echo
    fi
fi

    Here's the output from one of my servers behind my v9.2 BIG-IP (with sensitive info starred out).

    CGI printenv

    Date:

    Tue Dec 27 09:40:00 PST 2005

    Id:

    uid=48(apache) gid=48(apache) groups=48(apache)

    Env:

    SERVER_SIGNATURE=****

    UNIQUE_ID=@QO6-X8AAAEAAEpeDgsAAAAA

    HTTP_KEEP_ALIVE=300

    HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

    SERVER_PORT=80

    HTTP_HOST=****

    DOCUMENT_ROOT=/usr/local/www

    HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7

    SCRIPT_FILENAME=/usr/local/www/cgi-bin/printenv.cgi

    REQUEST_URI=/cgi-bin/printenv.cgi

    SCRIPT_NAME=/cgi-bin/printenv.cgi

    REMOTE_USER=****

    AUTH_TYPE=Basic

    HTTP_CONNECTION=keep-alive

    REMOTE_PORT=2392

    PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin

    PWD=/usr/local/www/cgi-bin

    SERVER_ADMIN=****

    HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5

    HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

    REMOTE_ADDR=*.*.*.*

    SHLVL=1

    SERVER_NAME=****

    SERVER_SOFTWARE=****

    QUERY_STRING=

    SERVER_ADDR=*.*.*.*

    GATEWAY_INTERFACE=CGI/1.1

    SERVER_PROTOCOL=HTTP/1.1

    HTTP_ACCEPT_ENCODING=gzip,deflate

    REQUEST_METHOD=GET

    _=/usr/bin/printenv

    The variables you mentioned all seem to be in there.

    -Joe
  • Matthew_Newby_1's avatar
    Matthew_Newby_1
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2005
    Joe (and anyone else who may care to reply),

     

     

    The issue we're facing (Tom and I, along with other web developers here) is that we need to get at data that's normally in the cgi.cert_subject variable when the SSL connection is terminated at the web server. We are using client-side personal certificates to uniquely identify each individual accessing our web servers (DoD-issued Common Access Cards or CACs). The user's public certs are installed in the user's Windows profile, and our IIS web servers are currently set to accept client certificates in the SSL configuration of the Internet Server Manager tool. With this configuration, our web applications can access the cgi.cert_subject variable, pull portions of the CN= substring and look up the PKI serialized ID in our application user tables as part of user authentication. We also double-check against the cgi.auth_user to make sure the user credentials match up with the PKI credentials.

     

     

    When I terminate the SSL connection at the BigIP and set the BigIP to "request" client certs, and set up the IIS server to NOT require SSL connections, I still get the cgi.auth_user, but the cgi.cert_subject is blank. We're looking for some way to: ideally, pick up the cert_subject at the BigIP and jam it back into the same cgi field when the request gets tossed over to the internal interface (no web application rewrites required), or less than ideally, pick up the cert_subject at the BigIP and put it somewhere else in the headers passed along with the request on the internal interface (some web application rewrites required).

     

     

    Thanks!

     

     

    -matt
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jan 03, 2006
    Matt,

     

     

    You'll have to do this within iRules by extracting the certificate info and manually inserting it into headers.

     

     

    This forum thread may point you in the right direction:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=3722

     

    Click here

     

     

    You can also do a search on x509::subject in the forums for other posts that extract the subject info from the client certs.

     

     

    -Joe