Proxy Auth New419

Problem this snippet solves:

Proxy Authentication via LDAP

This iRule uses the advanced auth features on an LTM to authenticate users of a Proxy service via LDAP.

It collects authentication credentials from web browsers and hands them off to the authentication service. If the user authenticates successfully they will be permitted to use the service.

In practice this iRule would be better combined with the proxy node hashing iRule to ensure that the destination node gets destination requests in a consistent manner to ensure maximum caching of content. For the purposes of this example I'm using Universal persistence based on the username.

Code :

when CLIENT_ACCEPTED {
   set authinsck 0
   set asid [AUTH::start pam _sys_auth_ldap]
}

when HTTP_REQUEST {
   set ProxyAuth [b64decode [substr "[HTTP::header values Proxy-Authorization]" 7 "\}"]]
   set ProxyUser [getfield $ProxyAuth ":" 1]
   set ProxyPass [getfield $ProxyAuth ":" 2]
   set ProxyUserIP [IP::client_addr]
   log local0. "ProxyUser: $ProxyUser ProxyUserIP: $ProxyUserIP"
   AUTH::username_credential $asid $ProxyUser
   AUTH::password_credential $asid $ProxyPass
   AUTH::authenticate $asid
   HTTP::collect
   HTTP::header insert X-Authenticated-User $ProxyUser
   HTTP::header insert X-Forwarded-For $ProxyUserIP
   persist uie $ProxyUser
}

when HTTP_RESPONSE {
   persist add uie $ProxyUser 3600
}

when AUTH_SUCCESS {
   if {$asid eq [AUTH::last_event_session_id]} {
      set authinsck 1
      HTTP::release
   }
}

when AUTH_FAILURE {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
   }
}

when AUTH_WANTCREDENTIAL {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
   }
}

when AUTH_ERROR {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407
   }
}