BIG-IP APM: Max Sessions Per User – Enable users to terminate a specified session
Technical Challenge
Recently I was speaking with a customer and they mentioned that they leveraged the “Max Sessions Per User” setting within BIG-IP APM Access Profile to limit the number ...
Published Dec 22, 2015
Version 1.0Robert_Teller_7
Historic F5 Account
Joined November 11, 2011
Robert_Teller_7
Historic F5 Account
Joined November 11, 2011
AN
Apr 10, 2017Nimbostratus
Is there a way to restrict APM session per user per URI in HTTP_REQUEST? I want to restrict APM to run very first time it find URI /abc/session.svc since that service being called couple of times in communication but only first URI call has username and password. Currently it fails because when it runs seconds time it doesn't get password in URI /abc/session.svc. following iRULE:
when HTTP_REQUEST {
switch [HTTP::method]
{
"COPY" -
"MOVE"
{
Replace Destination header with http if using SSL Offloading
if { [HTTP::header Destination] starts_with "https" }
{
HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]]
}
HTTP::disable
}
"MKCOL" -
"PROPPATCH"
{
HTTP::disable
}
}
if { ( [HTTP::uri] contains "/abc/session.svc")}
{
ACCESS::enable
HTTP::header insert "clientless-mode" 1
set apmsessionid [HTTP::cookie value MRHSession]
if { [HTTP::cookie exists "MRHSession"]} {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}
if {!($apmstatus)}
{
Insert Clientless-mode header to start APM in clientless mode
if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"}
}
if {([HTTP::method] eq "POST") }
{
set clength 0
if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] <= 1048576}
{
set clength [HTTP::header Content-Length]
} else { set clength 1048576 }
if { [info exists clength] && $clength > 0} { HTTP::collect $clength }
}
} else { ACCESS::disable}
}
when HTTP_REQUEST_DATA {
Parse XML Data
set xmluserdata [findstr [HTTP::payload] "" 10 ""]
set xmluser [findstr $xmluserdata ">" 1 ""]
set xmlpw [findstr $xmluserdata "" 10 end]
}
when ACCESS_SESSION_STARTED {
Variables from HTTP REQUEST Data (XML Parsing)
if {([info exists "xmluser"])} { ACCESS::session data set session.logon.last.username $xmluser; ACCESS::session data set session.logon.last.userid $xmluserdata; }
if {([info exists "xmlpw"])} { ACCESS::session data set session.logon.last.password $xmlpw; }
if {([info exists "xmluserdata"])} { ACCESS::session data set session.logon.last.useridpass $xmlpw; }
}
when ACCESS_ACL_ALLOWED {
set user [ACCESS::session data get session.logon.last.username]
HTTP::header insert "login" $user
HTTP::header remove "Authorization"
}