cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
AlexBCT
MVP
MVP

Problem this snippet solves:

Sometimes you want to have some authentication for a system, but don't want to build an AD server, or connect up to another complex authentication system. This iRule will simplify this and makes it very easy to manage the credentials from the iRule itself. If preferred, you can also put the credentials in a DataGroup, but for ease of (bulk) replacement, this has not been done.


How to use this snippet:

In LTM: Create a new Virtual server, destination IP: <auth-vs-ip>, destination port: 80 (can use SSL if preferred of course), add an HTTP profile and the newly created iRule.


For use in an APM policy:

- Create a new HTTP auth server in APM, authentication type Basic/NTLM, Start URI: http://auth-vs-ip/auth.url

- In your APM Access Policy, create a new HTTP auth agent, referencing the newly created HTTP auth server

Code :

#####################################################################################
# Simple Authentication Server
# v1.0 - Alex Tijhuis
# The iRule is checking for a specific authentication URI, and then 
# checks HTTP Basic authentication for credentials. 
# If the credentials provided match up with the details in the "switch" statement, 
# the iRule responds with an HTTP 200 OK code, otherwise an HTTP 401 authorization required response. 
# Not a lot has been spend on security for this iRule, so probably best to
# only allow internal connections to connect to this iRule (e.g. from internal APM) 
# Additional users can be added by adding extra lines to the "switch" statement
######################################################################################

when HTTP_REQUEST {
    set outcome sad
    if {not ([string tolower [HTTP::uri]] contains "auth.url")} {
        return
        log local0. "No auth request found" 
    }
    switch [HTTP::username] { 
        "student1" { if { [HTTP::password] == "pass1" } { set outcome happy }}
        "student2" { if { [HTTP::password] == "pass2" } { set outcome happy }}
        "student3" { if { [HTTP::password] == "pass3" } { set outcome happy }}
        "student4" { if { [HTTP::password] == "pass4" } { set outcome happy }}
        "student5" { if { [HTTP::password] == "pass5" } { set outcome happy }}
        "student6" { if { [HTTP::password] == "pass6" } { set outcome happy }}
        "student7" { if { [HTTP::password] == "pass7" } { set outcome happy }}
        "student8" { if { [HTTP::password] == "pass8" } { set outcome happy }}
        "student9" { if { [HTTP::password] == "pass9" } { set outcome happy }}
        "student10" { if { [HTTP::password] == "pass10"} { set outcome happy }}
    }
    if { $outcome == "happy" } {
        HTTP::respond 200 content "$outcome"
        #log local0. "User [HTTP::username], successfully logged in"
    }
    else {
        HTTP::respond 401 content "$outcome"
        log local0. "User [HTTP::username], password: [HTTP::password] no dice"
    }    
}

Tested this on version:

15.1
Version history
Last update:
‎05-May-2021 08:17
Updated by:
Contributors