Forum Discussion
JP_135500
Jan 31, 2014Nimbostratus
Only enable access policy when server response is 401?
We have a site that is a mix of anonymous and authenticated content. The authenticated content lives all over within the site and is maintained by hundreds of content editors, so there's really no pa...
- Jan 31, 2014
TO add to Josh's suggestion.
If you see the 401 from the server in HTTP_RESPONSE, add some cookie or other marker and redirect client back to the VIP. If the cookie or other marker is seen, then do ACCESS::enable.
JP_135500
Jul 08, 2014Nimbostratus
With help from an F5 engineer, I was able to get this working as I needed. The base of the iRule that I ended up using to get my situation solved is below. This is essentially what the F5 engineer sent along:
when HTTP_REQUEST {
store the host header for the initial /start_policy redirect
set host [HTTP::host]
set uri [HTTP::uri]
if { ( [HTTP::cookie exists MRHSession] ) or ( [HTTP::uri] starts_with "/start_policy" ) } {
initial redirect to /start_policy (starts access policy evaluation) - or a normal post-policy request
set apm_req 1
return
} else {
APM session disabled until logon process is started
ACCESS::disable
set apm_req 0
return
}
}
when ACCESS_SESSION_STARTED {
store the initial (redirect URI) until it's needed
ACCESS::session data set session.cms.starturi [findstr [HTTP::uri] "/start_policy=" 14]
ACCESS::session data set session.cms.starthost [HTTP::host]
}
when ACCESS_POLICY_COMPLETED {
log local0. "host was [ACCESS::session data get session.cms.starthost]"
log local0. "uri was [ACCESS::session data get session.cms.starturi]"
ACCESS::respond 301 Location "https://[ACCESS::session data get session.cms.starthost][ACCESS::session data get session.cms.starturi]"
}
when HTTP_RESPONSE {
log local0. "apm_req was $apm_req"
capture the redirect to authenticate
if { ([HTTP::status] eq "401") and ($apm_req eq 0) } {
initiate access policy processing
log local0. "apm_req was $apm_req so redirecting"
HTTP::respond 302 Location "https://${host}/start_policy=$uri"
}
}
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects