cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
John_McInnes_44
Nimbostratus
Nimbostratus

Problem this snippet solves:

Proxy Authentication via LDAP

This iRule uses the advanced auth features on an LTM to authenticate users of a Proxy service via LDAP.

It collects authentication credentials from web browsers and hands them off to the authentication service. If the user authenticates successfully they will be permitted to use the service.

In practice this iRule would be better combined with the proxy node hashing iRule to ensure that the destination node gets destination requests in a consistent manner to ensure maximum caching of content. For the purposes of this example I'm using Universal persistence based on the username.

Code :

when CLIENT_ACCEPTED {
   set authinsck 0
   set asid [AUTH::start pam _sys_auth_ldap]
}

when HTTP_REQUEST {
   set ProxyAuth [b64decode [substr "[HTTP::header values Proxy-Authorization]" 7 "\}"]]
   set ProxyUser [getfield $ProxyAuth ":" 1]
   set ProxyPass [getfield $ProxyAuth ":" 2]
   set ProxyUserIP [IP::client_addr]
   log local0. "ProxyUser: $ProxyUser ProxyUserIP: $ProxyUserIP"
   AUTH::username_credential $asid $ProxyUser
   AUTH::password_credential $asid $ProxyPass
   AUTH::authenticate $asid
   HTTP::collect
   HTTP::header insert X-Authenticated-User $ProxyUser
   HTTP::header insert X-Forwarded-For $ProxyUserIP
   persist uie $ProxyUser
}

when HTTP_RESPONSE {
   persist add uie $ProxyUser 3600
}

when AUTH_SUCCESS {
   if {$asid eq [AUTH::last_event_session_id]} {
      set authinsck 1
      HTTP::release
   }
}

when AUTH_FAILURE {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
   }
}

when AUTH_WANTCREDENTIAL {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407 "Proxy-Authenticate" "Basic realm=\"Proxy Service\""
   }
}

when AUTH_ERROR {
   if {$asid eq [AUTH::last_event_session_id]} {
      HTTP::respond 407
   }
}
Version history
Last update:
‎18-Mar-2015 14:15
Updated by:
Contributors