For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MDPF52_180608's avatar
MDPF52_180608
Icon for Nimbostratus rankNimbostratus
Sep 03, 2015

problem with HTTP auth (APM)

Hello,

 

I tried to configure the HTTP Auth object on the APM Access Policy. There is some strange issue that I am not able to identify.

 

I tried to make the POST request from an HTTP request client, I have configured the SAME POST with the same paramenters on the F5 but when I use the HTTP request client the response is 200 ok, when the HTTP POST is made from the F5 the web server returns the 302 code.

 

POST Request:

 

POST./xxx/portal.HTTP/1.1 Host:.10.1.1.1:9080 Accept:./ Content-Type:.application/x-www-form-urlencoded login_name:.xxxxxx

 

action=LoginAction&username=xxxxxx&password=xxxxxx&submit=Login

 

Anyone can suggest me some tests that may help me to troubleshoot the issue?

 

Thanks in advance.

 

4 Replies

  • Michael__'s avatar
    Michael__
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2015

    Hi,

    Lets see if i got the problem right 🙂

    Sounds to me as the 302 returned by the APM is the redirect to /my.policy which is the normal behavior with apm. To suppress the redirects from APM you could use "clientless-mode"

    when HTTP_REQUEST {

      enable the clientless-mode so that users will not follow 302 used by APM
     HTTP::header replace "clientless-mode" 1
}

    maybe this helps to solve your issue.

    Regards

    Micha

    • MDPF52_180608's avatar
      MDPF52_180608
      Icon for Nimbostratus rankNimbostratus
      Sep 04, 2015
      Thank you Michael! I will try to explain better...so: The HTTP POST is the request that is sent by the HTTP Auth object in the APM Policy, the request that the BIG-IP sends to the Web Server. Currently, I am trying to figure if there is some HTTP header that is required from the Web Server in order to accept the POST request but at the moment the situation is the following: HTTP Requester client - POST Request OK (Elements: 1. Content-Type Header: application/x-www-form-urlencoded 2. Custom apm header : %apmvariable) 3. Body with data) Can you suggest me something? Thanks in advance, Regards.
  • Michael_61033's avatar
    Michael_61033
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2015

    Hi,

    Lets see if i got the problem right 🙂

    Sounds to me as the 302 returned by the APM is the redirect to /my.policy which is the normal behavior with apm. To suppress the redirects from APM you could use "clientless-mode"

    when HTTP_REQUEST {

      enable the clientless-mode so that users will not follow 302 used by APM
     HTTP::header replace "clientless-mode" 1
}

    maybe this helps to solve your issue.

    Regards

    Micha

    • MDPF52_180608's avatar
      MDPF52_180608
      Icon for Nimbostratus rankNimbostratus
      Sep 04, 2015
      Thank you Michael! I will try to explain better...so: The HTTP POST is the request that is sent by the HTTP Auth object in the APM Policy, the request that the BIG-IP sends to the Web Server. Currently, I am trying to figure if there is some HTTP header that is required from the Web Server in order to accept the POST request but at the moment the situation is the following: HTTP Requester client - POST Request OK (Elements: 1. Content-Type Header: application/x-www-form-urlencoded 2. Custom apm header : %apmvariable) 3. Body with data) Can you suggest me something? Thanks in advance, Regards.