A and B both are clients. A is initiated a session from his device. A has an API result with some information with "xxx.com/api/info". After getting the result, the same result link is shared with B, and he is getting the same output. Here I need to restrict user B, if he gets the link, then the connection will drop.
I suspect it might work if I can detect the device ID and the session ID is mismatched after initiating the traffic.
Can anyone please provide me with a solution to this? It would be very helpful to me.
you can create an iRule or LTM policy has two conditions ( Source ip of user B & uri >> "xxx.com/api/info" ) and take action of dropping.
I see that device id is not suitable as it forces you that user A and B must run the injected java script in bigip first response to create device id in bigip.
I believe that you need a static identifier for user B such as static ip address for it.
Actually, I don't want to restrict any static identifier. I don't know how to do it, but the requirement is, when first Client A, is already served with the URL. Then any other device shouldn't get access with that same URL. Note that, the URL is not static either, it generates some random numbers such as "xxx.com/api/info/ms1672635"
Hi @Saidur900 , no worries about changing in URI as you can use "starts_with" or "contains" operators if your uri not static.
So now your requirement is , you need only one connection in bigip to access this URI and anyother connection requests this uri should be dropped regardless Client A or B , you only need this URI to be accessed onetime for only exclusive connection through bigip , and if this connection fininshed or timeout , it's allowed for any client to access it. So one connection to this URL at a time ?
Hi @Saidur900 , I believe that you can do that using " Table " irule with setting a connection limit to 1 connection. and put the condition to be the url instead of client Ip address.
>>>>>> so briefly >> I think your requirement will be met by settingtwo conditions ( connection limit equal 1 and uri contains "/api/info/" ) Of course it will need much testing , I don't have your deployment to test it and it may take much time.
I will mention Mr. @JRahm he may give us clues as he is very experienced with irules specially complex ones.
Hi @Saidur900, not tested, but to give an idea, you can use the table command to add a key of your random string to the session table, and then upon any other request, if the key is there, the connection will be dropped. I have an indefinite timer here, but the more random strings you have, the larger your memory footprint will grow over time, so be careful unless you're going to flush the table on occassion. I'd recommend a timeout far less, or at least have an automated process to flush the table. But...it's possible. Again, the code is untested, but should get you started. Note that this assumes the HTTP::path ends with your random string. If not, it will need to be adjusted.
when HTTP_REQUEST priority 500 {
### Assumes the random string completes the HTTP path! ###
if {[string match "/api/info/ms*" [HTTP::path]]} {
set key [string range $uri 13 end]
if {[table lookup -- -subtable api_paths $key] != ""} {
drop
} else {
table set -- -subtable api_paths $key 1 indefinite
}
}
}
