For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

AWS S3 Proxy: TCL iRule

Problem this snippet solves:

Create a secure proxy to AWS S3 via iRule/IRuleLX

Related Article: Creating a Secure AWS S3 Proxy with F5 iRulesLX

How to use this snippet:

  1. Install iRule via iRulesLX Workspace
  2. Create iRulesLX plugin
  3. Create AWS role or IAM credentials
  4. Create FQDN pool to AWS S3
  5. Create Virtual Server
  6. Enable OneConnect and WebAcceleration profiles
  7. Assign iRule to Virtual Server

Code :

when HTTP_REQUEST {

    set orig_path [string trimleft [HTTP::path] "/"]
    set key "s3:$orig_path"
    set data [table lookup -notouch $key]

    if { $data eq "" } {
    set RPC_HANDLE [ILX::init aws_s3_rpc_plugin aws_s3_rpc_ext]
    set rpc_response [ILX::call $RPC_HANDLE aws_s3_rpc_add_creds $orig_path]

    set qs [ lindex $rpc_response 0]
    set expires [lindex $rpc_response 1]
    set time_to_expires [lindex $rpc_response 2]
    # save value in cache
    table set $key $qs $time_to_expires $time_to_expires
    } else {
    # use cached value
        set qs $data
    }

}
when HTTP_REQUEST_SEND {
    clientside {

        HTTP::header replace Host "secure-bucket.s3.amazonaws.com"
        # specify bucket
        HTTP::uri "/$orig_path?$qs"
        #log local0. "https://secure-bucket.s3.amazonaws.com[HTTP::uri]"
    }
}
when HTTP_RESPONSE {
    # remove identifying data
    HTTP::header remove "Server"
    HTTP::header remove "x-amz-id-2"
    HTTP::header remove "x-amz-request-id"
    if { [HTTP::status] contains "403"} {
        HTTP::respond 404 content "not found"
    } 
}

Tested this on version:

13.0
Published Jul 21, 2017
Version 1.0
aws
cloud
security
No CommentsBe the first to comment