HTTP Basic Access Authentication iRule Style

I started working on an administrator control panel for my previous Small URL Generator Tech Tip (part 1 and part 2) and realized that we probably didn’t want to make our Small URL statistics and con...
Published Sep 30, 2010
Version 1.0
automation
BIG-IP
BIG-IP Access Policy Manager (APM)
isv
management
monitoring
news
security
tech tip
Jay_Guerette's avatar
Jay_Guerette
Icon for Nimbostratus rankNimbostratus
Jan 24, 2014
Here's an updated version that acts as a gate rather than a wrapper, uses better logic, and also has reduced overhead:

 

 

- empty string comparison is quicker than length comparison

 

- perform basic filtering/evaluation before doing more expensive functions

 

- redirect on failure instead of allowing an endless loop

 

- logging should probably not be done on the LTM

 

 

when HTTP_REQUEST {

 

 

possible logic to narrow scope to host, path, or individual resource

 

 

if { [HTTP::username] eq "" or [HTTP::password] eq "" } {

 

HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""

 

return

 

}

 

binary scan [ md5 [HTTP::password]] H* password

 

if { [class lookup "[HTTP::username]" authorized_users] ne $password } {

 

log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"

 

HTTP::redirect http:\\yourdomain.com\somewhere_else\denied.html

 

return

 

}

 

log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]"

 

 

remaining logic here ....

 

 

}