Forum Discussion

Frank0ph's avatar
Frank0ph
Icon for Nimbostratus rankNimbostratus
Feb 28, 2020

Bypass security if url contains particular string

hi,

I'm quite a newbie to F5 so apologies if I ask stupid questions!

 

We've got a new requirement to lock down one of our websites with 2FA for all users when accessing the site from outside of the office. I'm pretty comfortable with this part.

 

However an extra requirement is that there are external customers who access a a client portal and then redirects into a sub site from the site we want to lock down. We don't want this to require any authentication.

 

Example:

MFA applied to site: www.xyz.co.uk

 

Customer logs in to www.abc.co.uk

Customer clicks on link to report which redirects to:

https://xyz.co.uk/QVajaxzfc/opendoc.htm?document=Company%2f[DOCUMENTNAME]&ticket=xxxxxxxxxxxxxxxxxxxxxxx

 

The persistent in the redirect url is that it always contains "&ticket"

 

From what I've found it should be possible to take an action using an irule if a url contains "&ticket". What i'm not sure about is how I would set this up to have an access policy for the MFA and a way for that to be bypassed if this string is detected.

 

Can an irule be configured that would call the access policy if that condition is not met? Or in reverse is there a way of doing this same query directly through an access policy?

 

Or am I going down completely the wrong rounte and there is a much better way to do this?

 

Apologies if my question is a bit vague but i'd appreciate any assistance.

thanks

6 Replies

  • NAG's avatar
    NAG
    Icon for Cirrostratus rankCirrostratus

    Hi,

     

    I believe you are going down the wrong way.

    Once the MFA is successful, APM creates a session and tracks every transaction going through it by validating tokens and session cookies.

    Access policy is to allow access to a authenticated user. if you want to use a iRule to bypass Access Policy if it contains a token, how do you validate the token/ticket?

     

    We need to know more on the flow and access control requirements to guide you in the rite direction

     

    Thank you,

    Nag

     

  • You could probably disable APM for every GET request that contains a non-empty "ticket" parameter

    when HTTP_REQUEST {
      if { ([HTTP::method] eq "GET") and ([URI::query [HTTP::uri] ticket] ne "") } {
        ACCESS::disable
      }
    }
    • Frank0ph's avatar
      Frank0ph
      Icon for Nimbostratus rankNimbostratus

      Thanks for the responses.

      Juraj your suggestion sounds like what I want.

      Does that imply that the word "ticket" just needs to be included or that there must be some text after the word ticket?

       

      having tested the site we found that If I were to enter the url up to the point of ticket with nothing after it would present a single FA logon page so any rule we put in to allow these links through would need to check for ticket =n with n being anytext.

       

      Apologies if that's what your rule is saying already!

      • Juraj's avatar
        Juraj
        Icon for Cirrus rankCirrus

        ne in the iRule stands for “not equal”, so the iRule above expect the parameter “ticket” in the URL to exists and not be empty, i.e. it must have some value. If you know the logic of that value, you could also validate it in your iRule to make sure someone is not bypassing your controls by simply adding a non-empty “ticket” parameter.

         

        I have something similar on our F5, where the iRule lets all POST requests from Slack in to our internal JIRA system, as long as such POST requests contain a specific Slack token.