Forum Discussion
JP_135500
Nimbostratus
NimbostratusOnly enable access policy when server response is 401?
We have a site that is a mix of anonymous and authenticated content. The authenticated content lives all over within the site and is maintained by hundreds of content editors, so there's really no pa...
TO add to Josh's suggestion.
If you see the 401 from the server in HTTP_RESPONSE, add some cookie or other marker and redirect client back to the VIP. If the cookie or other marker is seen, then do ACCESS::enable.
Stanislas_Piro2
Cumulonimbus
CumulonimbusThank you for the update.
I changed your iRule to remove Host and scheme in redirect.
when HTTP_REQUEST {
store the host header for the initial /start_policy redirect
set uri [HTTP::uri]
if { ( [HTTP::cookie exists MRHSession] ) or ( [HTTP::uri] starts_with "/start_policy" ) } {
initial redirect to /start_policy (starts access policy evaluation) - or a normal post-policy request
set apm_req 1
return
} else {
APM session disabled until logon process is started
ACCESS::disable
set apm_req 0
return
}
}
when ACCESS_SESSION_STARTED {
store the initial (redirect URI) until it's needed
ACCESS::session data set session.cms.starturi [findstr [HTTP::uri] "/start_policy=" 14]
}
when ACCESS_POLICY_COMPLETED {
log local0. "uri was [ACCESS::session data get session.cms.starturi]"
ACCESS::respond 301 Location "[ACCESS::session data get session.cms.starturi]"
}
when HTTP_RESPONSE {
log local0. "apm_req was $apm_req"
capture the redirect to authenticate
if { ([HTTP::status] eq "401") and ($apm_req eq 0) } {
initiate access policy processing
log local0. "apm_req was $apm_req so redirecting"
HTTP::respond 302 Location "/start_policy=$uri"
}
}