Forum Discussion
Adrien_Legros_1
Altostratus
AltostratusTCL error with local variable
Hi, I have a problem with the following Irule. Here are some explanations about the flow:
1) The client sends a request that must be authenticated. He will be redirected to an url on the same VIP with a different URI (/loginproxy/...). To keep the initial url, we save it in the variable ROAD (case 3).
2) On this server, the client will receive a cookie to proove ha has been authenticated. Now He must be redirected to the initial url that was saved in the variable ROAD. This redirection is based on the content of the header ROAD.
3) The client goes to the initial URL.
The problem is:
when I use global variable for ROAD, sometimes, 2 differents clients that goes to 2 differents URLs are exchanging the initial url, due to the global variable.
When I use local variabla (as now), I receive a TCP error saying that ROAD is not known when inserting in the headers (case 3).
How can I correct it or keep the initial url value?
Thanks for your help.
when RULE_INIT {
set road "vide"
set target "vide"
}
when CLIENT_ACCEPTED {
log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"
}
when HTTP_REQUEST {
Debug variable. 0=Debug disabled, 1=Debug Enabled
set debug 1
set cert [SSL::cert 0]
Modify this to change the Application name sended to the error pages
set app_name "App1"
If no client certificate is reveived, the client is redirected to the error page
if {$cert eq ""} {
if {$debug == 1} {
log "no cert"}
HTTP::redirect "http://www.XXX.be/Error/certificate_reject.aspx?errCode=99&appName=$app_name&subject=None&issuer=None&validFrom=None&validTo=None" }
else {
When we receive a certificate
set result [SSL::verify_result]
set sujet [X509::subject $cert]
set issuer [X509::issuer $cert]
set serial [X509::serial_number $cert]
set debut [X509::not_valid_before $cert]
set fin [X509::not_valid_after $cert]
We first verify the validity. if the result is different than 0, we redirect the client to the error page
if {$result > 0} {
if {$debug ==1} { log "verify error - result = $result"}
HTTP::redirect "http://www.XXX.be/Error/certificate_reject.aspx?errCode=$result&appName=$app_name&subject=$sujet&issuer=$issuer&validFrom=$debut&validTo=$fin" }
else {
Then we verify the Issuer. If it not a trusted issuer listed in the DATA GROUP trusted_issuers, we redirect to the error page
if {not [class match $issuer contains trusted_issuers]} {
if {$debug == 1} {
log "not a trusted issuer - $issuer"}
HTTP::redirect "http://www.xxx.be/pub/App/Error/certificate_reject.aspx?errCode=$result&appName=$app_name&subject=Wrong_Issuer&issuer=$issuer&validFrom=$debut&validTo=$fin"
}
else {
if {$debug == 1} {
log "trusted issuer" log "Insert Certificate into the headers" }
Everything is fine, we can insert the certificate info in the headers
HTTP::header insert x-nbbcertsubject [X509::subject $cert]
HTTP::header insert x-nbbcertissuer [X509::issuer $cert]
HTTP::header insert x-nbbcertserial [X509::serial_number $cert]
HTTP::header insert x-nbbclientip [IP::client_addr]
Loadbalancing and pool selection based on the URI.
CASE 1 if {([HTTP::uri] starts_with "/soap/mfi")}{
if {$debug eq 1}{log local0. "1 Direct Request to [HTTP::uri]"}
HTTP::uri "/mifidws[HTTP::uri]"
set road "[HTTP::host][HTTP::uri]"
set target "MIFIDWS"
pool SecureProxy
}
elseif {([HTTP::uri] starts_with "/MIFID/invoke") or ([HTTP::uri] starts_with "/mifid/invoke")}{
CASE 2 if {$debug eq 1}{
log local0. "2 Direct Request to [HTTP::uri]"}
HTTP::uri "/mifidb2b[HTTP::uri]"
set road "[HTTP::host][HTTP::uri]"
set target "MIFIDB2B"
pool SecureProxy
}
elseif {([HTTP::uri] starts_with "/loginproxy") }{
CASE 3 if {$debug eq 1}{log local0. "3 Direct Request to [HTTP::uri]"}
HTTP::header insert target $road
HTTP::header insert x-targetapp $target
pool SecureProxy }
else {
if {$debug eq 1}{log local0. "4. Normal Request to [HTTP::uri]"} HTTP::redirect "http://www.google.be" } } } } }
2 Replies
hoolioCirrostratus
Any variable set in RULE_INIT will be global (and will demote the virtual server from using all cores available). You're using the road and target variables in the HTTP_REQUEST event. You could eliminate the intermediate variables and just reference the actual commands.
Aaron
Adrien_Legros_1Thanks Aaron for your answer but I do not understand how I could not use the variables as I need to keep the first url used by the client to modify the uri after the redirection. For example:
Request 1 is: https://app1.be/secureapp1
Our server redirect the user to https://app1.be/loginproxy (but I need to keep the first url in the headers as the backend will use it to write the next redirection.
Request 2: The client goes to https://app1.be/authentication a cookie is done and the server perform another redirection to the URL written in the header (target = $$road)
Request 3: the user go to the first url with the authentication information.
Problem is, with my irule, when the client goes to /loginproxy, when I insert the content of the variable in the header, variable seems not to exist. I can not use directly HTTP::uri is it no more the first url requested.
Thanks.
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
