Forum Discussion
NimbostratusPersist Cookie and Domain Modification iRule question
Hi,
I am newbie to F5 and I am trying to find the following iRule is valid. or How can I achieve something similar to below.
In Plain text
Browser sends a request to www.foo.com.au/Login/someapp
F5 should intercept and redirect to https://accesscontrol.abc.com.au/Login/someapp
accesscontrol.abc.com.au is a VIP / F5 address and it should insert a cookie "setRequestAuthnContxt=SOMEKEY" and domain
to be one level down which is abc.com.au and not the accesscontrol.abc.com.au . Also I would like to see
when HTTP_REQUEST {
if { [HTTP::host] equals "www.foo.com.au" and [HTTP::uri] starts_with "/Login/someapp" } {
HTTP::redirect "https://accesscontrol.abc.com.au/Login/someapp [HTTP::host][HTTP::uri]"
}
}
when HTTP_REQUEST {
if { [HTTP::host] equals "accesscontrol.abc.com.au" and [HTTP::uri] starts_with "/Login/someapp" }
{ when HTTP_RESPONSE {
HTTP::cookie insert name "setRequestAuthContxt" SOMEKEY [HTTP::cookie value "old-cookie-name"]
HTTP::cookie domain $aCookie .abc.com.au
}
HTTP::redirect "https://www.foo.com.au/someapp [HTTP::host][HTTP::uri]"
}
}
Appreciate your response.
5 Replies
- nitass
Employee
is it something like this?[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.252:443 ip protocol 6 rules myrule profiles { clientssl { clientside } http {} tcp {} } } [root@ve10:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { set mod_ck 0 if { [HTTP::host] equals "accesscontrol.abc.com.au" and [HTTP::uri] starts_with "/Login/someapp" } { set mod_ck 1 } } when HTTP_RESPONSE { if { $mod_ck } { HTTP::cookie insert name "setRequestAuthContxt" value SOMEKEY domain "abc.com.au" } } } set-cookie [root@ve10:Active] config curl -Ik https://accesscontrol.abc.com.au/Login/someapp HTTP/1.1 404 Not Found Date: Tue, 12 Mar 2013 10:22:49 GMT Server: Apache/2.2.3 (CentOS) Content-Type: text/html; charset=iso-8859-1 Set-Cookie: setRequestAuthContxt=SOMEKEY;domain=abc.com.au; no set-cookie [root@ve10:Active] config curl -Ik https://accesscontrol.abc.com.au/ HTTP/1.1 200 OK Date: Tue, 12 Mar 2013 10:23:09 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT ETag: "4183f3-59-f28f94c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 
Fabian_124018The example looks like a similar problem I've got at the moment.
The example seems to work with a sub-domain within a same domain:
e.g. https://accesscontrol.abc.com.au/
But how would you get the F5 to use an iRule or iRules to:
1. Detect a referer URL in one domain (like in this example; http://foo.com.au/AppStart/something);
2. use the iRule to redirect to another domain (like in the example; http://abc.com.au/AppStart/something) which is passed back to another F5 VIP;
3. Another iRule would detect the redirected referer URL (like in the example; http://abc.com.au/AppStart/something);
4. Create a cookie called SetRequestAuthnContext (as in the example) with a specific cookie value (like in the example; Something) in the redirected referer domain (like in the example; http://abc.com.au)
5. After setting the cookie in the abc.com.au domain; redirect back to the original referer URL (http://foo.com.au/TheApplication)
6. The original referer URL will read the SetRequestAuthnContext cookie and forwarded their browser to a specific element within a original referer URL.
It looks like Santhana's rule suggests the above steps yet I'm a little lost when it comes to coding the F5 iRule itself.Fabian
- nitassi think it may be easier to understand if you can divide steps into virtual server/irule. so, we can address them one by one.
- Fabian_124018
Here is my first ever attempt at some F5 coding learning from what you started with nitass.
Am I even close?
Fabian
[root@ve10:Active] config b virtual foo_website list Website No.1 - https://www.foo.com.au/Login/Something virtual foo_website { snat automap pool foo destination 172.28.19.252:443 ip protocol 6 rules redirect profiles { clientssl { clientside } http {} tcp {} } } iRule No.1 - https://www.foo.com.au/Login/Something redirecting to https://as.abc.com.au/Login/Something [root@ve10:Active] config b rule redirect list rule redirect { when HTTP_REQUEST { if { [HTTP::host] equals "www.foo.com.au" and [HTTP::uri] starts_with "/Login/Something" } { HTTP::redirect "https://as.abc.com.au/Login/Something [HTTP::host][HTTP::uri]" } } [root@ve10:Active] config b virtual abc_website list Website No.2 - https://as.abc.com.au/Login/Something virtual abc_website { snat automap pool foo destination 172.28.19.253:443 ip protocol 6 rules setcookie profiles { clientssl { clientside } http {} tcp {} } } iRule No.2 - If https://as.abc.com.au/Login/Something then set cookie called setRequestAuthcontext with cookie value of SOMEKEY in the *.abc.com.au domain. Once the cookie is set then redirect back to https://www.foo.com.au/TheApplication [root@ve10:Active] config b rule setcookie list rule setcookie { when HTTP_REQUEST { set mod_ck 0 if { [HTTP::host] equals "as.abc.com.au" and [HTTP::uri] starts_with "/Login/Something" } { set mod_ck 1 HTTP::redirect "https://www.foo.com.au/TheApplication [HTTP::host][HTTP::uri]" } } when HTTP_RESPONSE { if { $mod_ck } { HTTP::cookie insert name "setRequestAuthContxt" value SOMEKEY domain "abc.com.au" } } } - nitass
1
[root@ve10:Active] config b rule myrule list
rule myrule {
when HTTP_REQUEST {
if { [HTTP::host] equals "www.foo.com.au" and [HTTP::path] starts_with "/Login/Something" } {
HTTP::redirect "]"
}
}
}[root@ve10:Active] config curl -Ik https://www.foo.com.au/Login/Something/sweet
HTTP/1.0 302 Found
Location: https://as.abc.com.au/Login/Something/sweet
Server: BigIP
Connection: Keep-Alive
Content-Length: 02
[root@ve10:Active] config b rule myrule list
rule myrule {
when HTTP_REQUEST {
if { [HTTP::host] equals "as.abc.com.au" and [HTTP::path] starts_with "/Login/Something" } {
HTTP::respond 302 Location "https://www.foo.com.au/TheApplcation" "Set-Cookie" "setRequestAuthContxt=SOMEKEY; path=/; domain=.abc.com.au"
}
}
}[root@ve10:Active] config curl -Ik https://as.abc.com.au/Login/Something/sweet
HTTP/1.0 302 Found
Location: https://www.foo.com.au/TheApplcation
Set-Cookie: setRequestAuthContxt=SOMEKEY; path=/; domain=.abc.com.au
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
