For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VB_95896's avatar
VB_95896
Icon for Nimbostratus rankNimbostratus
Jan 06, 2010

SSL only when auth - HTTP>SSL>HTTP

Hi,     I'd like to (re)produce the following behavior :     When a client sends an HTTP request to a website called "host", the intermediate BigIP requires an SSL connexion (re...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 07, 2010
Hi Vincent,

 

 

If the two VIPs are on the same domain, you could use a cookie to track that the client has successfully authenticated against the auth server and redirect the client to the HTTP VIP. You could then check for that cookie on the HTTP VIP before redirecting the client back to HTTPS. From a security standpoint, you could try encrypting the client User-Agent header value with a timestamp and use that for the cookie. On requests, if the cookie value can be decrypted, the user-agent header from the cookie matches the client's user-agent and the timestamp is newer than some session timeout value, you would consider the auth cookie as valid.

 

 

Also, in 9.4+ the four AUTH_ events have been deprecated in favor of a single event, AUTH_RESULT (Click here).

 

 

You can get a few examples from the Codeshare for doing auth:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHttpCookie.html

 

 

And you can check the default LDAP auth rule, _sys_auth_ldap.

 

 

Aaron