how to remove Authorization http header

Hi Giuseppe,

 

 

I think in the HTTP Profile you could use the Request Header Erase option.

 

 

Regards

 

 

Jürg

Hi Juerg

 

I already tried to remove the header in the http profile. The problem is, that when I remove the authorization header then the LTM doesn't send my request to the pool because it means that the authentication was not successfull. What I want to do is remove the authorization header only from the LTM to the backend. From the client to the LTM the authorization header should remain.

 

 

Ciaoooooo

Hi Giuseppe,

The HTTP profile configuration for adding/removing headers is performed before HTTP_REQUEST is triggered. The auth header is read in default HTTP_REQUEST event (priority 500). So that's why the profile option to remove the auth header would prevent the authorization from working.

You can use an iRule with a priority (Click here) set to greater than the default of 500 to remove the auth header after the auth iRule uses it:

  
   when HTTP_REQUEST priority 501 {   
      
       Remove the Authorization header after the system authorization iRule runs (at priority 500)   
      if {[HTTP::header exists Authorization]}{   
      
         HTTP::header remove Authorization   
      }   
   }   
   

Aaron

Hi Hollio

 

I tried but it doesn't work. Our clients must first authenticate to the ltm with radius authentication (works well) then when they are authenticated they must authenticate theirself to the server. The connection is ssl from the Client to the LTM and ssl from the LTM to the server. When I try to connect the server response with a 500 Error Code. I tested the all thing with an apache reverse proxy and I have seen that the reverse proxy doesn't pass the authentication from the radius authentication to the server, so it works.

With the above rule, do you see that the Authorization header is removed from the request after the Radius authentication is performed?

 

 

Aaron

Hi Giuseppe,

 

 

Check out "Serverside" command to remove the Header only in the direction to the server..

 

 

Jürg

So using this iRule will remove the Authroization Header to the Backend System.

 

 

But, after Authenticating on the Backend it should not be removed......

 

So we need something else to take care on. So this is not really the whole solution...

 

 

 

when HTTP_REQUEST priority 501 {

 

Remove the Authorization header after the system authorization iRule runs (at priority 500)

 

if {[HTTP::header exists Authorization]} {

 

[serverside {HTTP::header remove Authorization}]}

 

}

 

 

Regards

 

 

Jürg

How I created the iRule based on _sys_auth_radius

What it will do is adding a Cookie "Welcome" to the response when Authentication on BIG-IP was successful.

If Cookie exists no further Authentication takes place on the BIG-IP and the Request is forwaded to the destination after (Authentication Header is removed)

when HTTP_REQUEST {  
  set doit "bad"  
  if { not [ HTTP::cookie exists "Welcome"] } {  
  set doit "bad"  
          if {not [info exists tmm_auth_http_sids(radius)]} {  
              set tmm_auth_sid [AUTH::start pam default_radius]  
              set tmm_auth_http_sids(radius) $tmm_auth_sid  
              if {[info exists tmm_auth_subscription]} {  
                  AUTH::subscribe $tmm_auth_sid  
              }  
          } else {  
              set tmm_auth_sid $tmm_auth_http_sids(radius)  
          }  
          AUTH::username_credential $tmm_auth_sid [HTTP::username]  
          AUTH::password_credential $tmm_auth_sid [HTTP::password]  
          AUTH::authenticate $tmm_auth_sid  
    
          if {not [info exists tmm_auth_http_collect_count]} {  
              HTTP::collect  
              set tmm_auth_http_successes 0  
              set tmm_auth_http_collect_count 1  
          } else {  
              incr tmm_auth_http_collect_count  
          }  
      }   else {  
     HTTP::header remove Authorization  
   }  
  }  
    
      when AUTH_RESULT {  
          if {not [info exists tmm_auth_http_sids(radius)] or \  
              ($tmm_auth_http_sids(radius) != [AUTH::last_event_session_id]) or \  
              (not [info exists tmm_auth_http_collect_count])} {  
                
          }  
          if {[AUTH::status] == 0} {  
              incr tmm_auth_http_successes  
              set doit "ok"  
              }  
           If multiple auth sessions are pending and  
           one failure results in termination and this is a failure  
           or enough successes have now occurred  
          if {([array size tmm_auth_http_sids] > 1) and \  
              ((not [info exists tmm_auth_http_sufficient_successes] or \  
               ($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {  
               Abort the other auth sessions  
              foreach {type sid} [array get tmm_auth_http_sids] {  
                  unset tmm_auth_http_sids($type)  
                  if {($type ne "radius") and ($sid != -1)} {  
                      AUTH::abort $sid  
                      incr tmm_auth_http_collect_count -1  
                  }  
              }  
          }  
           If this is the last outstanding auth then either  
           release or respond to this session  
          incr tmm_auth_http_collect_count -1  
          if {$tmm_auth_http_collect_count == 0} {  
              unset tmm_auth_http_collect_count  
              if { [AUTH::status] == 0 } {  
              HTTP::release  
              } else {  
                  HTTP::respond 401  
              }  
          }  
      }  
    
  when HTTP_RESPONSE {  
    if {not [ HTTP::cookie exists "Welcome"] } {  
    if { $doit eq "ok"} {    
  HTTP::cookie insert name "Welcome" value [IP::client_addr]  
    log local0. "cookie please" }    
   }}