Forum Discussion
Christopher_J_B
Nimbostratus
Nimbostratussignature header authentication
Any one create an iRule to perform - Signed Header Authentication ?
Basically the F5 would need to decrypt/validate received HTTP header(s) that are encrypted with a private key (shared between the F5 and the CDN)
- Are they encrypted or signed or both? Encryption and authentication are very different things, cryptographically speaking. What algorithm(s) would you want to be using?
There are a few cryptographic primitives available from iRules now. For authentication, people have definitely used them to do HMAC computation. - The_BhattmanHi Christopher,
What is the encryption based on? Is it based on MD5 or CRC?
Bhattman 
Christopher_J_BThis would be Akamai's g2o authentication used for CDN
The F5 will receive from Akamai edge servers a pair of headers. One in plain text with some data fields (time in epoch format, unique id, ...) and another with a base64 encoded signature. The signature is a hash (md5) of some of the data fields in the first header and a pre-shared secret.- Well, iRules has base64 and md5 commands, so that should be possible based on that information. I can't find any specific specs from Akamai, though, so I can't guarantee it.
Joel_MosesJudging by the code at https://github.com/refractalize/nginx_mod_akamai_g2o/blob/master/ngx_http_akamai_g2o_module.c (an NGINX module for supporting g2o), it looks like a fairly straightforward HMAC using a shared key, expressed in base64. This should be doable in iRules just fine.- Christopher_J_BNice find Joel and that did help - the iRule is being tested - thanks
Haluk_Yildirim_Hello:
I was wondering if you can share the iRule that you were working on.Thanks in advance
Luke
cacobos_13060Hello,I am working on it with but I can't do it work propertly, I was wondering as weel if you could share the iRule that you was working.Many Thanks in advance ;)
Russell_Moore_8I needed a rule to validate G2O headers so I wrote the below rule and I've also submitted it to codeshare.
Code when HTTP_REQUEST { Requires TMOS 11.1 or above for support for "CRYPTO::sign" This code block detects if the Akamai authentication headers are there if so it then does the caculations based on the shared secret finally it compares the output and logs a match if {[HTTP::header exists "X-Akamai-G2O-Auth-Data"] && [HTTP::header exists "X-Akamai-G2O-Auth-Sign"]} { set shared secret here set secret_key "pass" set data "[HTTP::header value "X-Akamai-G2O-Auth-Data"][HTTP::path]" set signature "[HTTP::header value "X-Akamai-G2O-Auth-Sign"]" set signed_data [b64encode [CRYPTO::sign -alg hmac-md5 -key $secret_key $data]] if { $signed_data eq $signature } { log local0. "Signatures match" } } }
