cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Insert text to HTTP header via iRule event during APM execution

BharatSharda
Altostratus
Altostratus

Hi Community Members,

 

We are trying to insert some text to HTTP header through an iRule which will check for ACCESS_POLICY_AGENT_EVENT generated by via iRule event during an APM checking.

Event "event_1" is getting generated via APM. There is below iRule that is doing the header injection if "event_1" is generated.

when ACCESS_POLICY_AGENT_EVENT {     if { [ACCESS::policy agent_id] eq "event_1" } {         HTTP::header insert "my_text" value     } }

But in our checking it was found that the header injection during APM execution by an iRule is not working.

Below F5 article also mentions the similar thing:

https://support.f5.com/csp/article/K22055705

 

Is there a way out by which we can still insert the desired text, value combination to HTTP header?

Any leads would be helpful. Thanks!

 

Cheers,

Bharat

1 ACCEPTED SOLUTION

SanjayP
MVP
MVP

HTTP_REQUEST_SEND is also one of the event can be used to send the APM variable.

 

https://support.f5.com/csp/article/K74392192

 

so worth trying below. modify as needed.

 

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "event_1" } { ACCESS::session data set session.custom.header "value" set header [ACCESS::session data get "session.custom.header"] } }   when HTTP_REQUEST_SEND { clientside { if {[info exists header]}{ HTTP::header insert "headername" $header } else { return } } }

 

 

 

View solution in original post

10 REPLIES 10

You want to insert the header in the request or response ?

 

Try with "ACCESS_POLICY_COMPLETED" or "HTTP_REQUEST" or "ACCESS_ACL_ALLOWED" or even "HTTP_REQUEST" to do this.

 

You may also see:

 

 

https://devcentral.f5.com/s/question/0D71T000006gzth/detail?s1oid=00D00000000hXqv&s1nid=0DB1T0000008Ony&emkind=chatterCommentNotification&s1uid=0051T000008eyBa&emtm=1617222886798&fromEmail=1&s1ext=0

 

Hi Nikoolayy1,

 

Thank you for your suggestion.

Our expectation is to insert the header when the flow goes through just a certain APM check (branch path) and a certain condition is met, that is because we tried to use ACCESS_POLICY_AGENT_EVENT. Header should not be added by any other APM branch.

 

If we use "ACCESS_POLICY_COMPLETED" or "HTTP_REQUEST" or "ACCESS_ACL_ALLOWED" or even "HTTP_REQUEST", header will be added for all the checks, not just by a specific APM.

May be worth to try something like below. Let us know how the testing goes

 

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "event_1" } { ACCESS::session data set session.custom.header "value" set header [ACCESS::session data get "session.custom.header"] } } when ACCESS_POLICY_COMPLETED { if {[info exists header]}{ HTTP::header replace "headername" $header } else { return } }

Hi SanjayP,

 

Thank you for your reply.

I tried to set the same under a single iRule as well as 2 separate iRules with ( when function each) to be executed one after another, but no luck.

The session.custom.header is getting set in first when block, but after the execution completion of APM, the header replace\insertion is still not working.

Can you enable some logging and see what's happeing. also edit the iRule to add "insert header"

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "event_1" } { ACCESS::session data set session.custom.header "value" set header [ACCESS::session data get "session.custom.header"] log local0. "header: $header" } } when ACCESS_POLICY_COMPLETED { if {[info exists header]}{ log local0. "header found" HTTP::header insert "headername" $header log local0. "header inserted with value $header" } else { log local0. "no header added as event doesn't match" return } }

"

I think that to set headers or cookies with the event "ACCESS_POLICY_COMPLETED", you need to use the "ACCESS::respond", as I gave in the example in my previous update as "ACCESS_POLICY_COMPLETED" by default does not overide the default APM response after the policy check is completed:

 

Example:

 

https://devcentral.f5.com/s/question/0D71T000006gzth/detail?s1oid=00D00000000hXqv&s1nid=0DB1T0000008...

 

 

 

https://clouddocs.f5.com/api/irules/ACCESS_POLICY_COMPLETED.html

 

 

The "ACCESS_ACL_ALLOWED" can be tested as it seems much easy and you can just add a header. So maybe just replace "ACCESS_POLICY_COMPLETED" with "ACCESS_ACL_ALLOWED" on the conbined iRule and if there are issues try "ACCESS::respond" with the event "ACCESS_POLICY_COMPLETED" and enable logs with ''log local0'' to see where is the issues.

 

https://clouddocs.f5.com/api/irules/ACCESS_ACL_ALLOWED.html

Hi Nikoolayy1,

"ACCESS_POLICY_COMPLETED" with "ACCESS_ACL_ALLOWED" on the conbined iRule didn't helped much. But yes enabling log local0 helped to trace the flow. Thanks much for your help. Cheers.

SanjayP
MVP
MVP

HTTP_REQUEST_SEND is also one of the event can be used to send the APM variable.

 

https://support.f5.com/csp/article/K74392192

 

so worth trying below. modify as needed.

 

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "event_1" } { ACCESS::session data set session.custom.header "value" set header [ACCESS::session data get "session.custom.header"] } }   when HTTP_REQUEST_SEND { clientside { if {[info exists header]}{ HTTP::header insert "headername" $header } else { return } } }

 

 

 

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "event_1" } { ACCESS::session data set session.custom.header "1" } else { ACCESS::session data set session.custom.header "0" } when HTTP_REQUEST_SEND { clientside { set header [ACCESS::session data get "session.custom.header"] if { $header }{ HTTP::header insert "headername" $header } else { return } } }

Hi Sanjay,

 

This worked for my case with a little tweak, had to set the $header again in HTTP_REQUEST_SEND to proceed with the HTTP header insertion. Also the log local0. helped a lot. Thank you for your inputs in here. Cheers.

 

I traced the HTTP headers by printing then in ltm logs referring to https://support.f5.com/csp/article/K42210592

when HTTP_REQUEST { foreach aHeader [HTTP::header names] { log local0. "HTTP Request Headers: $aHeader: [HTTP::header value $aHeader]" } }

 

SanjayP
MVP
MVP

Glad it worked and thank you for the feedback with an updated iRule