Forum Discussion
Christopher_J_B
Nimbostratus
Sep 08, 2011signature header authentication
Any one create an iRule to perform - Signed Header Authentication ?
Basically the F5 would need to decrypt/validate received HTTP header(s) that are encrypted with a private key (shared between the F5 and the CDN)
- spark_86682Historic F5 AccountAre they encrypted or signed or both? Encryption and authentication are very different things, cryptographically speaking. What algorithm(s) would you want to be using?
- The_Bhattman
Nimbostratus
Hi Christopher, - Christopher_J_B
Nimbostratus
This would be Akamai's g2o authentication used for CDN - spark_86682Historic F5 AccountWell, iRules has base64 and md5 commands, so that should be possible based on that information. I can't find any specific specs from Akamai, though, so I can't guarantee it.
- Joel_Moses
Nimbostratus
Judging by the code at https://github.com/refractalize/nginx_mod_akamai_g2o/blob/master/ngx_http_akamai_g2o_module.c (an NGINX module for supporting g2o), it looks like a fairly straightforward HMAC using a shared key, expressed in base64. This should be doable in iRules just fine. - Christopher_J_B
Nimbostratus
Nice find Joel and that did help - the iRule is being tested - thanks - Haluk_Yildirim_
Nimbostratus
Hello:Thanks in advance
Luke
- cacobos_13060
Nimbostratus
Hello,I am working on it with but I can't do it work propertly, I was wondering as weel if you could share the iRule that you was working.Many Thanks in advance ;)
- Russell_Moore_8
Nimbostratus
I needed a rule to validate G2O headers so I wrote the below rule and I've also submitted it to codeshare.
Code when HTTP_REQUEST { Requires TMOS 11.1 or above for support for "CRYPTO::sign" This code block detects if the Akamai authentication headers are there if so it then does the caculations based on the shared secret finally it compares the output and logs a match if {[HTTP::header exists "X-Akamai-G2O-Auth-Data"] && [HTTP::header exists "X-Akamai-G2O-Auth-Sign"]} { set shared secret here set secret_key "pass" set data "[HTTP::header value "X-Akamai-G2O-Auth-Data"][HTTP::path]" set signature "[HTTP::header value "X-Akamai-G2O-Auth-Sign"]" set signed_data [b64encode [CRYPTO::sign -alg hmac-md5 -key $secret_key $data]] if { $signed_data eq $signature } { log local0. "Signatures match" } } }
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects