cancel
Showing results for 
Search instead for 
Did you mean: 

Bypass security if url contains particular string

Frank0ph
Nimbostratus
Nimbostratus

hi,

I'm quite a newbie to F5 so apologies if I ask stupid questions!

 

We've got a new requirement to lock down one of our websites with 2FA for all users when accessing the site from outside of the office. I'm pretty comfortable with this part.

 

However an extra requirement is that there are external customers who access a a client portal and then redirects into a sub site from the site we want to lock down. We don't want this to require any authentication.

 

Example:

MFA applied to site: www.xyz.co.uk

 

Customer logs in to www.abc.co.uk

Customer clicks on link to report which redirects to:

https://xyz.co.uk/QVajaxzfc/opendoc.htm?document=Company%2f[DOCUMENTNAME]&ticket=xxxxxxxxxxxxxxxxxxxxxxx

 

The persistent in the redirect url is that it always contains "&ticket"

 

From what I've found it should be possible to take an action using an irule if a url contains "&ticket". What i'm not sure about is how I would set this up to have an access policy for the MFA and a way for that to be bypassed if this string is detected.

 

Can an irule be configured that would call the access policy if that condition is not met? Or in reverse is there a way of doing this same query directly through an access policy?

 

Or am I going down completely the wrong rounte and there is a much better way to do this?

 

Apologies if my question is a bit vague but i'd appreciate any assistance.

thanks

6 REPLIES 6

NAG
Cirrostratus
Cirrostratus

Hi,

 

I believe you are going down the wrong way.

Once the MFA is successful, APM creates a session and tracks every transaction going through it by validating tokens and session cookies.

Access policy is to allow access to a authenticated user. if you want to use a iRule to bypass Access Policy if it contains a token, how do you validate the token/ticket?

 

We need to know more on the flow and access control requirements to guide you in the rite direction

 

Thank you,

Nag

 

Juraj
Cirrus
Cirrus

You could probably disable APM for every GET request that contains a non-empty "ticket" parameter

when HTTP_REQUEST { if { ([HTTP::method] eq "GET") and ([URI::query [HTTP::uri] ticket] ne "") } { ACCESS::disable } }

 

Thanks for the responses.

Juraj your suggestion sounds like what I want.

Does that imply that the word "ticket" just needs to be included or that there must be some text after the word ticket?

 

having tested the site we found that If I were to enter the url up to the point of ticket with nothing after it would present a single FA logon page so any rule we put in to allow these links through would need to check for ticket =n with n being anytext.

 

Apologies if that's what your rule is saying already!

ne in the iRule stands for “not equal”, so the iRule above expect the parameter “ticket” in the URL to exists and not be empty, i.e. it must have some value. If you know the logic of that value, you could also validate it in your iRule to make sure someone is not bypassing your controls by simply adding a non-empty “ticket” parameter.

 

I have something similar on our F5, where the iRule lets all POST requests from Slack in to our internal JIRA system, as long as such POST requests contain a specific Slack token.

Thanks Juraj, this looked like the perfect solution but it doesn't seem to be getting through. I've tried to log all of the URI's that come through during the page loading process but can't seem to get the syntax right.

Do you know what I need to enter to get it to output all of the pages during the connection?

Alternatively is it possible to log the result from the irule?

 

  when I use the Irule that you suggested the site does bypass the Access Policy as requested however the site doesn't load and comes back with failed to load resource for the sites pages (404 not found errors) just getting stuck on a loading page.

 

Is there anything in the passing of the Irule that would affect the site being able to load? Surely after it has passed it through it should be able to load as normal.

 

If the rule and access policy are disabled the site loads no problem with no such errors.