Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Mar 22, 2021

How to make access profile allow non auth'ed people in

Hi

 

if I have a

vs_test

 

and I apply access profile to vs_test (say ap_test)

 

and the flow for that is

 

start -> allow

 

that still fails

 

if i want to allow user to browse to http://test/ and if there is no userid/auth session allow them in

but if they go to

https://test/secret

it bumps them off to a logon page

 

To expand I was thinking to use per request access prolicy to protect /secret or any other uri that needs protection

 

 

I can't seem to do it

 

 

 

 

APM
ASM Advanced WAF
security

2 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Mar 23, 2021

    Hi,

     

    I think you are on the right track. A policy with "Start ---> Allow" will work, everyone will pass without the need to further authenticate.

     

    Pay attention, in your example above you are mixing http and https URLs. If your VS is listening on http and you Access Policy has a setting for "Cookie Options: Secure" enabled it won't work with http, only with https.

    A cookie with the Secure attribute set is sent to the server only over https.

    If you apply an Access Policy with "Cookie Options: Secure" enabled to a http virtual then APM will display a blocked page saying "Access was denied by the access policy."

     

    The idea of have a Pre-Request Policy for /secret is also right.

     

    KR

    Daniel

     

     

     

  • AlexS_yb's avatar
    AlexS_yb
    Icon for Cirrocumulus rankCirrocumulus
    Mar 23, 2021

    Thanks.

     

    Tried it not working ... very strange

     

    I found this

    https://devcentral.f5.com/s/question/0D51T00006i7Xc3/only-enable-access-policy-when-server-response-is-401

     

     

    an old but it has allowed me to do what I want.