Forum Discussion

Christopher_J_B's avatar
Icon for Nimbostratus rankNimbostratus
Sep 08, 2011

signature header authentication

Any one create an iRule to perform - Signed Header Authentication ?



Basically the F5 would need to decrypt/validate received HTTP header(s) that are encrypted with a private key (shared between the F5 and the CDN)





9 Replies

  • spark_86682's avatar
    Historic F5 Account
    Are they encrypted or signed or both? Encryption and authentication are very different things, cryptographically speaking. What algorithm(s) would you want to be using?



    There are a few cryptographic primitives available from iRules now. For authentication, people have definitely used them to do HMAC computation.
  • Hi Christopher,


    What is the encryption based on? Is it based on MD5 or CRC?



  • This would be Akamai's g2o authentication used for CDN




    The F5 will receive from Akamai edge servers a pair of headers. One in plain text with some data fields (time in epoch format, unique id, ...) and another with a base64 encoded signature. The signature is a hash (md5) of some of the data fields in the first header and a pre-shared secret.
  • spark_86682's avatar
    Historic F5 Account
    Well, iRules has base64 and md5 commands, so that should be possible based on that information. I can't find any specific specs from Akamai, though, so I can't guarantee it.
  • Judging by the code at (an NGINX module for supporting g2o), it looks like a fairly straightforward HMAC using a shared key, expressed in base64. This should be doable in iRules just fine.
  • Hello:



    I was wondering if you can share the iRule that you were working on.



    Thanks in advance






  • Hello,


    I am working on it with but I can't do it work propertly, I was wondering as weel if you could share the iRule that you was working.





    Many Thanks in advance ;)



  • I needed a rule to validate G2O headers so I wrote the below rule and I've also submitted it to codeshare.


    when HTTP_REQUEST {
        Requires TMOS 11.1 or above for support for "CRYPTO::sign"
    This code block detects if the Akamai authentication headers are there
    if so it then does the caculations based on the shared secret
    finally it compares the output and logs a match
    if {[HTTP::header exists "X-Akamai-G2O-Auth-Data"] && [HTTP::header exists "X-Akamai-G2O-Auth-Sign"]} {
        set shared secret here
        set secret_key "pass" 
        set data "[HTTP::header value "X-Akamai-G2O-Auth-Data"][HTTP::path]"
        set signature "[HTTP::header value "X-Akamai-G2O-Auth-Sign"]"
        set signed_data [b64encode [CRYPTO::sign -alg hmac-md5 -key $secret_key $data]]
        if { $signed_data eq $signature } {
            log local0. "Signatures match"