cancel
Showing results for 
Search instead for 
Did you mean: 

Insert Basic Auth Header

Luis_Melendrez
Altostratus
Altostratus

Is there a way to insert basic auth header to the backend server?

clinet http request dont have the basic auth header and would like to build an irule so when the request is received, the proxy inserts the basic auth header with the proper credentials to the back end server.

Thanks

1 ACCEPTED SOLUTION

Hi @Luis_Melendrez 

One thought that comes to mind is that you might be able to do a simple header injection via the HTTP profile or via an iRule. I do want to note that this design would allow any client to connect to your web application as whatever user is provided in the header, so it would not necessarily be much better than regular anonymous usage. Further, the password is only encoded with base64, so is essentially the same as clear text, you will want to use SSL/TLS to protect the communication.

To build the authorization string, combine the username and password, separated by a colon, and then base64 encode the whole string. For example RFC7617 shows the username Aladdin with password 'open sesame', which results in the base64 string QWxhZGRpbjpvcGVuIHNlc2FtZQ==. Be sure to come up with the value required for your implementation. CyberChef is a handy tool to do base64 operations.

In the HTTP profile, set the Request Header Insert value to:

Authorization Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

In an iRule, this might look like this. (I haven't tested this):

when HTTP_REQUEST_RELEASE {
    HTTP::header insert Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
}

Last note: that this method might not work if the application server is expecting to respond with a 401 error first and then have the user authenticate second. You would need additional logic in that case.

Thanks,

Josh Becigneul

View solution in original post

3 REPLIES 3

Hi @Luis_Melendrez 

One thought that comes to mind is that you might be able to do a simple header injection via the HTTP profile or via an iRule. I do want to note that this design would allow any client to connect to your web application as whatever user is provided in the header, so it would not necessarily be much better than regular anonymous usage. Further, the password is only encoded with base64, so is essentially the same as clear text, you will want to use SSL/TLS to protect the communication.

To build the authorization string, combine the username and password, separated by a colon, and then base64 encode the whole string. For example RFC7617 shows the username Aladdin with password 'open sesame', which results in the base64 string QWxhZGRpbjpvcGVuIHNlc2FtZQ==. Be sure to come up with the value required for your implementation. CyberChef is a handy tool to do base64 operations.

In the HTTP profile, set the Request Header Insert value to:

Authorization Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

In an iRule, this might look like this. (I haven't tested this):

when HTTP_REQUEST_RELEASE {
    HTTP::header insert Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
}

Last note: that this method might not work if the application server is expecting to respond with a 401 error first and then have the user authenticate second. You would need additional logic in that case.

Thanks,

Josh Becigneul

Lebsack
Nimbostratus
Nimbostratus

A string of the hex digits that proves that the user knows a password. The algorithm encodes the username and password, realm, cnonce, qop, nc, and so on. It is described in detail in the specification.


@Lebsack wrote: atlas student portal

A string of the hex digits that proves that the user knows a password. The algorithm encodes the username and password, realm, cnonce, qop, nc, and so on. It is described in detail in the specification.


May it helpful to us ..