on
06-Apr-2016
21:21
- edited on
05-Jun-2023
22:56
by
JimmyPackets
Problem this snippet solves:
How to use this snippet:
Generate key to use in iRule.
when RULE_INIT { log local0. "key value : [b64encode [AES::key 256]]" }
If iRule is saved in BIG-IP, the command is executed and log on /var/log/ltm file.
Rule /Common/aes_key <RULE_INIT>: key value : QUVTIDI1NiAxYTIyZTdlMzMxZDBhYmQ0NTNlYTVlMTJhODdhZThiNTdmMjRiZGUwYjZiNDI1YzYwZmMxNDk0ZjNkYzNlMmRi
The generated key can be used in any iRule, and the key must to keep in secure place (place in iRule only)
when RULE_INIT { set static::my_key_256 "QUVTIDI1NiAxYTIyZTdlMzMxZDBhYmQ0NTNlYTVlMTJhODdhZThiNTdmMjRiZGUwYjZiNDI1YzYwZmMxNDk0ZjNkYzNlMmRi" set static::my_key $static::my_key_256 } when HTTP_REQUEST { ... # cookie encryption with dynamic value set cookie_data "[IP::client_addr]:[clock seconds]:MY_COOKIE" set b64_enc_cookie "[b64encode [AES::encrypt [b64decode $static::my_key] $cookie_data]]" HTTP::respond 302 -version 1.1 Location "http://[HTTP::host][HTTP::uri]" Set-Cookie "MyCookie=$b64_enc_cookie" ... # cookie decryption set d_data [AES::decrypt [b64decode $static::my_key] [b64decode [HTTP::cookie MyCookie]]] ... }
Code :
when RULE_INIT { # key value and select one of key to decipher HTTP Cookie # 256 bit key set static::my_key_256 "QUVTIDI1NiAxYTIyZTdlMzMxZDBhYmQ0NTNlYTVlMTJhODdhZThiNTdmMjRiZGUwYjZiNDI1YzYwZmMxNDk0ZjNkYzNlMmRi" # Select one of key set static::my_key $static::my_key_256 log local0. "selected key : $static::my_key" # cookie life time set static::cookie_lifetime "600" # cookie re-generation time before expire set static::cookie_exp "15" } when HTTP_REQUEST { # Debug log setting # enable : 1 # disable : 0 set DEBUG 1 # Cookie data : client_IP::MY_COOKIE # check cookie value is existence if { [HTTP::cookie MyCookie] ne "" } { # decrypt cookie data set d_data [AES::decrypt [b64decode $static::my_key] [b64decode [HTTP::cookie MyCookie]]] if { $DEBUG } { log local0. "cookie value : [HTTP::cookie MyCookie]" } if { $DEBUG } { log local0. "decrypted cookie value : $d_data" } # check decryption status / set dummy value if the decryption was failed (empty string) if { $d_data ne "" } { set cookie_data [split $d_data ":"] } else { # set dummy data to send new cookie set cookie_data {0.0.0.0 1458328520 COOKIE_DUM} if { $DEBUG } { log local0. "decryption faile (by changing key) and set dummy value" } } if { (([clock seconds] - [lindex $cookie_data 1]) <= ($static::cookie_lifetime - $static::cookie_exp)) && ([lindex $cookie_data 2] eq "MY_COOKIE") } { if { $DEBUG } { log local0. "allowed request : [HTTP::host][HTTP::uri]" } } else { # cookie is invalid or expire soon, and set a new cookie if { $DEBUG } { log local0. "cookie value is invalid or expired and re-generate a new cookie" } call redirect_with_cookie $DEBUG } # HTTP request doesn't have MyCookie } else { if { $DEBUG } { log local0. "No MyCookie cookie in HTTP request and generate a new cookie" } call redirect_with_cookie $DEBUG } } proc redirect_with_cookie args { set cookie_data "[IP::client_addr]:[clock seconds]:MY_COOKIE" set b64_enc_cookie "[b64encode [AES::encrypt [b64decode $static::my_key] $cookie_data]]" if { $args } { log local0. "new generated cookie : $b64_enc_cookie" } HTTP::respond 302 -version 1.1 Location "http://[HTTP::host][HTTP::uri]" Set-Cookie "MyCookie=$b64_enc_cookie" }