Provides Authentication offload onto an service such as LDAP.
How to use this snippet:
For the purposes of testing this example I'm using a Universal persistence based on the user that has been authenticated. In reality it would be better to combine this rule with the proxy node hashing iRule elsewhere on DevCentral.
Code :
when CLIENT_ACCEPTED {
set authinsck 0
set asid [AUTH::start pam _sys_auth_ldap]
}
when HTTP_REQUEST {
set ProxyAuth [b64decode [substr "[HTTP::header values Proxy-Authorization]" 7 "\}"]]
set ProxyUser [getfield $ProxyAuth ":" 1]
set ProxyPass [getfield $ProxyAuth ":" 2]
set ProxyUserIP [IP::client_addr]
log local0. "ProxyUser: $ProxyUser ProxyUserIP: $ProxyUserIP"
AUTH::username_credential $asid $ProxyUser
AUTH::password_credential $asid $ProxyPass
AUTH::authenticate $asid
HTTP::collect
HTTP::header insert X-Authenticated-User $ProxyUser
HTTP::header insert X-Forwarded-For $ProxyUserIP
persist uie $ProxyUser
}
when HTTP_RESPONSE {
persist add uie $ProxyUser 3600
}
when AUTH_SUCCESS {
if {$asid eq [AUTH::last_event_session_id]} {
set authinsck 1
HTTP::release
}
}
when AUTH_FAILURE {
if {$asid eq [AUTH::last_event_session_id]} {
HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
}
}
when AUTH_WANTCREDENTIAL {
if {$asid eq [AUTH::last_event_session_id]} {
HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
}
}
when AUTH_ERROR {
if {$asid eq [AUTH::last_event_session_id]} {
HTTP::respond 407
}
}
