Nimbostratus
Basically the F5 would need to decrypt/validate received HTTP header(s) that are encrypted with a private key (shared between the F5 and the CDN)
There are a few cryptographic primitives available from iRules now. For authentication, people have definitely used them to do HMAC computation.
Nimbostratus
What is the encryption based on? Is it based on MD5 or CRC?
Bhattman
Nimbostratus
The F5 will receive from Akamai edge servers a pair of headers. One in plain text with some data fields (time in epoch format, unique id, ...) and another with a base64 encoded signature. The signature is a hash (md5) of some of the data fields in the first header and a pre-shared secret.
NimbostratusNimbostratus
Nimbostratus
I was wondering if you can share the iRule that you were working on.
Thanks in advance
Luke
Nimbostratus
I am working on it with but I can't do it work propertly, I was wondering as weel if you could share the iRule that you was working.
Many Thanks in advance ;)
NimbostratusI needed a rule to validate G2O headers so I wrote the below rule and I've also submitted it to codeshare.
Code
when HTTP_REQUEST {
Requires TMOS 11.1 or above for support for "CRYPTO::sign"
This code block detects if the Akamai authentication headers are there
if so it then does the caculations based on the shared secret
finally it compares the output and logs a match
if {[HTTP::header exists "X-Akamai-G2O-Auth-Data"] && [HTTP::header exists "X-Akamai-G2O-Auth-Sign"]} {
set shared secret here
set secret_key "pass"
set data "[HTTP::header value "X-Akamai-G2O-Auth-Data"][HTTP::path]"
set signature "[HTTP::header value "X-Akamai-G2O-Auth-Sign"]"
set signed_data [b64encode [CRYPTO::sign -alg hmac-md5 -key $secret_key $data]]
if { $signed_data eq $signature } {
log local0. "Signatures match"
}
}
}