Forum Discussion

Adrien_Legros_1's avatar
Adrien_Legros_1
Icon for Altostratus rankAltostratus
Feb 07, 2011

TCL error with local variable

Hi, I have a problem with the following Irule. Here are some explanations about the flow:

 

 

1) The client sends a request that must be authenticated. He will be redirected to an url on the same VIP with a different URI (/loginproxy/...). To keep the initial url, we save it in the variable ROAD (case 3).

 

2) On this server, the client will receive a cookie to proove ha has been authenticated. Now He must be redirected to the initial url that was saved in the variable ROAD. This redirection is based on the content of the header ROAD.

 

3) The client goes to the initial URL.

 

 

The problem is:

 

 

when I use global variable for ROAD, sometimes, 2 differents clients that goes to 2 differents URLs are exchanging the initial url, due to the global variable.

 

When I use local variabla (as now), I receive a TCP error saying that ROAD is not known when inserting in the headers (case 3).

 

 

How can I correct it or keep the initial url value?

 

 

Thanks for your help.

 

 

 

when RULE_INIT {

 

set road "vide"

 

set target "vide"

 

}

 

when CLIENT_ACCEPTED {

 

log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"

 

}

 

when HTTP_REQUEST {

 

Debug variable. 0=Debug disabled, 1=Debug Enabled

 

set debug 1

 

set cert [SSL::cert 0]

 

Modify this to change the Application name sended to the error pages

 

set app_name "App1"

 

If no client certificate is reveived, the client is redirected to the error page

 

if {$cert eq ""} {

 

if {$debug == 1} {

 

log "no cert"}

 

HTTP::redirect "http://www.XXX.be/Error/certificate_reject.aspx?errCode=99&appName=$app_name&subject=None&issuer=None&validFrom=None&validTo=None" }

 

else {

 

When we receive a certificate

 

set result [SSL::verify_result]

 

set sujet [X509::subject $cert]

 

set issuer [X509::issuer $cert]

 

set serial [X509::serial_number $cert]

 

set debut [X509::not_valid_before $cert]

 

set fin [X509::not_valid_after $cert]

 

We first verify the validity. if the result is different than 0, we redirect the client to the error page

 

if {$result > 0} {

 

if {$debug ==1} { log "verify error - result = $result"}

 

HTTP::redirect "http://www.XXX.be/Error/certificate_reject.aspx?errCode=$result&appName=$app_name&subject=$sujet&issuer=$issuer&validFrom=$debut&validTo=$fin" }

 

else {

 

Then we verify the Issuer. If it not a trusted issuer listed in the DATA GROUP trusted_issuers, we redirect to the error page

 

if {not [class match $issuer contains trusted_issuers]} {

 

if {$debug == 1} {

 

log "not a trusted issuer - $issuer"}

 

HTTP::redirect "http://www.xxx.be/pub/App/Error/certificate_reject.aspx?errCode=$result&appName=$app_name&subject=Wrong_Issuer&issuer=$issuer&validFrom=$debut&validTo=$fin"

 

}

 

else {

 

if {$debug == 1} {

 

log "trusted issuer" log "Insert Certificate into the headers" }

 

Everything is fine, we can insert the certificate info in the headers

 

HTTP::header insert x-nbbcertsubject [X509::subject $cert]

 

HTTP::header insert x-nbbcertissuer [X509::issuer $cert]

 

HTTP::header insert x-nbbcertserial [X509::serial_number $cert]

 

HTTP::header insert x-nbbclientip [IP::client_addr]

 

Loadbalancing and pool selection based on the URI.

 

CASE 1 if {([HTTP::uri] starts_with "/soap/mfi")}{

 

if {$debug eq 1}{log local0. "1 Direct Request to [HTTP::uri]"}

 

HTTP::uri "/mifidws[HTTP::uri]"

 

set road "[HTTP::host][HTTP::uri]"

 

set target "MIFIDWS"

 

pool SecureProxy

 

}

 

elseif {([HTTP::uri] starts_with "/MIFID/invoke") or ([HTTP::uri] starts_with "/mifid/invoke")}{

 

CASE 2 if {$debug eq 1}{

 

log local0. "2 Direct Request to [HTTP::uri]"}

 

HTTP::uri "/mifidb2b[HTTP::uri]"

 

set road "[HTTP::host][HTTP::uri]"

 

set target "MIFIDB2B"

 

pool SecureProxy

 

}

 

elseif {([HTTP::uri] starts_with "/loginproxy") }{

 

CASE 3 if {$debug eq 1}{log local0. "3 Direct Request to [HTTP::uri]"}

 

HTTP::header insert target $road

 

HTTP::header insert x-targetapp $target

 

pool SecureProxy }

 

else {

 

if {$debug eq 1}{log local0. "4. Normal Request to [HTTP::uri]"} HTTP::redirect "http://www.google.be" } } } } }
application delivery
dev
devops
iRules
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 07, 2011
    Any variable set in RULE_INIT will be global (and will demote the virtual server from using all cores available). You're using the road and target variables in the HTTP_REQUEST event. You could eliminate the intermediate variables and just reference the actual commands.

     

     

    Aaron
  • Adrien_Legros_1's avatar
    Adrien_Legros_1
    Icon for Altostratus rankAltostratus
    Feb 17, 2011
    Thanks Aaron for your answer but I do not understand how I could not use the variables as I need to keep the first url used by the client to modify the uri after the redirection. For example:

     

     

    Request 1 is: https://app1.be/secureapp1

     

    Our server redirect the user to https://app1.be/loginproxy (but I need to keep the first url in the headers as the backend will use it to write the next redirection.

     

    Request 2: The client goes to https://app1.be/authentication a cookie is done and the server perform another redirection to the URL written in the header (target = $$road)

     

    Request 3: the user go to the first url with the authentication information.

     

     

    Problem is, with my irule, when the client goes to /loginproxy, when I insert the content of the variable in the header, variable seems not to exist. I can not use directly HTTP::uri is it no more the first url requested.

     

     

    Thanks.