Forum Discussion
Ray_371608
Feb 05, 2019Nimbostratus
The iRule:
when CLIENT_ACCEPTED {
Generate a timestamp for the log message below
set myIntTime [clock format [clock seconds] -format "%Y-%m-%d_%H:%M:%S %z"]
log local0. " ==================== BEGIN ========= $myIntTime =========== "
}
when HTTP_REQUEST {
log local0. " BEGIN ========= HTTP_REQUEST"
log local0. " === Auth Step 1"
if {not [info exists tmm_auth_http_sids(ldap)]} {
log local0. " === Auth Step 2"
set tmm_auth_sid [AUTH::start pam default_ldap]
log local0. " tmm_auth_sid : $tmm_auth_sid"
set tmm_auth_http_sids(ldap) $tmm_auth_sid
log local0. " === Auth Step 3"
if {[info exists tmm_auth_subscription]} {
log local0. " === Auth Step 4"
AUTH::subscribe $tmm_auth_sid
}
} else {
log local0. " === Auth Step 5"
set tmm_auth_sid $tmm_auth_http_sids(ldap)
log local0. " tmm_auth_sid : $tmm_auth_sid"
}
set user [HTTP::username]
set pass [HTTP::password]
log local0. " Auth using -$user- and -$pass-"
log local0. " === Auth Step 6"
AUTH::username_credential $tmm_auth_sid [HTTP::username]
log local0. " === Auth Step 7"
AUTH::password_credential $tmm_auth_sid [HTTP::password]
log local0. " === Auth Step 8"
AUTH::authenticate $tmm_auth_sid
log local0. " === Auth Step 9"
if {not [info exists tmm_auth_http_collect_count]} {
log local0. " === Auth Step 10"
HTTP::collect
log local0. " === Auth Step 11"
set tmm_auth_http_successes 0
set tmm_auth_http_collect_count 1
} else {
log local0. " === Auth Step 12"
incr tmm_auth_http_collect_count
}
log local0. " END ========= HTTP_REQUEST"
}
when AUTH_RESULT {
log local0. " BEGIN ========= AUTH_RESULT"
log local0. " === Auth Step 13"
set status [AUTH::status]
log local0. " === Auth Step 14"
log local0. " AuthStatus is: -$status-"
if {not [info exists tmm_auth_http_sids(ldap)] or \
($tmm_auth_http_sids(ldap) != [AUTH::last_event_session_id]) or \
(not [info exists tmm_auth_http_collect_count])} {
log local0. " === Auth Step 15"
return
}
log local0. " === Auth Step 16"
if {[AUTH::status] == 0} {
log local0. " === Auth Step 17"
incr tmm_auth_http_successes
}
If multiple auth sessions are pending and
one failure results in termination and this is a failure
or enough successes have now occurred
if {([array size tmm_auth_http_sids] > 1) and \
((not [info exists tmm_auth_http_sufficient_successes] or \
($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {
log local0. " === Auth Step 18"
Abort the other auth sessions
foreach {type sid} [array get tmm_auth_http_sids] {
log local0. " === Auth Step 19"
unset tmm_auth_http_sids($type)
if {($type ne "ldap") and ($sid != -1)} {
log local0. " === Auth Step 20"
AUTH::abort $sid
incr tmm_auth_http_collect_count -1
}
}
log local0. " === Auth Step 21"
}
log local0. " === Auth Step 22"
If this is the last outstanding auth then either
release or respond to this session
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
log local0. " === Auth Step 23"
unset tmm_auth_http_collect_count
if {[AUTH::status] == 0} {
log local0. " === Auth Step 24"
HTTP::release
} else {
log local0. " === Auth Step 25"
HTTP::respond 401
}
log local0. " === Auth Step 26"
}
log local0. " END ========= AUTH_RESULT"
}
when HTTP_RESPONSE {
log local0. " BEGIN ========== HTTP_RESPONSE"
For Click-Jacking protection
HTTP::header insert "X-FRAME-OPTIONS" "(DENY || SAMEORIGIN)"
Capture the response time for logging
set latency [expr {[clock clicks -milliseconds] - $reqIntLatency}]
log local0. " Call Latency: -$latency- milliseconds "
log local0. " ==================== END ========= $myIntTime =========== "
}