We are trying to insert some text to HTTP header through an iRule which will check for ACCESS_POLICY_AGENT_EVENT generated by via iRule event during an APM checking.
Event "event_1" is getting generated via APM. There is below iRule that is doing the header injection if "event_1" is generated.
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "event_1" } {
HTTP::header insert "my_text" value
}
}
But in our checking it was found that the header injection during APM execution by an iRule is not working.
Below F5 article also mentions the similar thing:
https://support.f5.com/csp/article/K22055705
Is there a way out by which we can still insert the desired text, value combination to HTTP header?
HTTP_REQUEST_SEND is also one of the event can be used to send the APM variable.
https://support.f5.com/csp/article/K74392192
so worth trying below. modify as needed.
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "event_1" } {
ACCESS::session data set session.custom.header "value"
set header [ACCESS::session data get "session.custom.header"]
}
}
when HTTP_REQUEST_SEND {
clientside {
if {[info exists header]}{
HTTP::header insert "headername" $header
} else {
return
}
}
}
Our expectation is to insert the header when the flow goes through just a certain APM check (branch path) and a certain condition is met, that is because we tried to use ACCESS_POLICY_AGENT_EVENT. Header should not be added by any other APM branch.
If we use "ACCESS_POLICY_COMPLETED" or "HTTP_REQUEST" or "ACCESS_ACL_ALLOWED" or even "HTTP_REQUEST", header will be added for all the checks, not just by a specific APM.
May be worth to try something like below. Let us know how the testing goes
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "event_1" } {
ACCESS::session data set session.custom.header "value"
set header [ACCESS::session data get "session.custom.header"]
}
}
when ACCESS_POLICY_COMPLETED {
if {[info exists header]}{
HTTP::header replace "headername" $header
} else {
return
}
}
I tried to set the same under a single iRule as well as 2 separate iRules with ( when function each) to be executed one after another, but no luck.
The session.custom.header is getting set in first when block, but after the execution completion of APM, the header replace\insertion is still not working.
Can you enable some logging and see what's happeing. also edit the iRule to add "insert header"
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "event_1" } {
ACCESS::session data set session.custom.header "value"
set header [ACCESS::session data get "session.custom.header"]
log local0. "header: $header"
}
}
when ACCESS_POLICY_COMPLETED {
if {[info exists header]}{
log local0. "header found"
HTTP::header insert "headername" $header
log local0. "header inserted with value $header"
} else {
log local0. "no header added as event doesn't match"
return
}
}
I think that to set headers or cookies with the event "ACCESS_POLICY_COMPLETED", you need to use the "ACCESS::respond", as I gave in the example in my previous update as "ACCESS_POLICY_COMPLETED" by default does not overide the default APM response after the policy check is completed:
The "ACCESS_ACL_ALLOWED" can be tested as it seems much easy and you can just add a header. So maybe just replace "ACCESS_POLICY_COMPLETED" with "ACCESS_ACL_ALLOWED" on the conbined iRule and if there are issues try "ACCESS::respond" with the event "ACCESS_POLICY_COMPLETED" and enable logs with ''log local0'' to see where is the issues.
"ACCESS_POLICY_COMPLETED" with "ACCESS_ACL_ALLOWED" on the conbined iRule didn't helped much. But yes enabling log local0 helped to trace the flow. Thanks much for your help. Cheers.
HTTP_REQUEST_SEND is also one of the event can be used to send the APM variable.
https://support.f5.com/csp/article/K74392192
so worth trying below. modify as needed.
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "event_1" } {
ACCESS::session data set session.custom.header "value"
set header [ACCESS::session data get "session.custom.header"]
}
}
when HTTP_REQUEST_SEND {
clientside {
if {[info exists header]}{
HTTP::header insert "headername" $header
} else {
return
}
}
}
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "event_1" } {
ACCESS::session data set session.custom.header "1"
} else {
ACCESS::session data set session.custom.header "0"
}
when HTTP_REQUEST_SEND {
clientside {
set header [ACCESS::session data get "session.custom.header"]
if { $header }{
HTTP::header insert "headername" $header
} else {
return
}
}
}
Hi Sanjay,
This worked for my case with a little tweak, had to set the $header again in HTTP_REQUEST_SEND to proceed with the HTTP header insertion. Also the log local0. helped a lot. Thank you for your inputs in here. Cheers.
I traced the HTTP headers by printing then in ltm logs referring to https://support.f5.com/csp/article/K42210592
when HTTP_REQUEST {
foreach aHeader [HTTP::header names] {
log local0. "HTTP Request Headers: $aHeader: [HTTP::header value $aHeader]"
}
}
