reverse proxy mapping of server with strict header checking
We are trying to map a number of separately developed apps onto the same domain with each app in a subdomain, so users can request https://.ourdomain.com/ and get directed to the correct app. Apps we developed are in pools in our own hosting and working fine. We also need to map one app developed by a third party and hosted externally (https://thirdpartyapp.theirdomain.com/). We have the ip address of this third party app in a pool and the traffic is flowing correctly but some browsers set headers which cause resource requests that follow the initial connection to receive a 403 FORBIDDEN response. Unfortunately I don't have access to the Big-IP - it's a managed service, so writing and debugging iRules is a slow process. What I need help with... Does this iRule effectively substitute headers in the outgoing request? I know the replace works, but how do I know these are the headers going over to the other end (I have no access to F5 or to 3rd party server). { set uri [HTTP::uri] set httpver [HTTP::version] set headers [HTTP::header names] array unset request array set request {uri $uri} foreach header $headers { regsub -all {externalapp.ourdomain.com} [HTTP::header $header] prod-thirdpartyapp.theirdomain.com newheadervalue set request($header) $newheadervalue } set ENCRYPT 1;pool POOL-thirdparty-443-external;snat [IP::local_addr] } I know the regsub is replacing the headers correctly. Where I am losing confidence is that I can't see the request headers of the outbound connection to the third party server. Do I need to write the headers back into HTTP::header or does "set request" do that for the outbound request - i.e. is request a special object on the F5 that automatically sets the server side https request? Thanks for your help
302 Redirect and http headers
I have a iRule that I'm trying to do a redirect but make the redirect pass http headers to another server (this is in a different domain). The access policy will authenticate the user and get certain information from AD. This information needs to be sent to the other web application with the data in http headers (not my doing 🙂 ). Can headers be passed this way and what would be the syntax for the http:respond with http headers? when ACCESS_POLICY_COMPLETED { set policy_result [ACCESS::policy result] switch $policy_result { "allow" { set clientid "12345" set userid "[ACCESS::session data get session.saml.last.attr.name.employeeID]" set timestamp "[ACCESS::session data get session.custom.form.timestamp]" log local0. "***** clientId $clientid" log local0. "***** userid $userid" log local0. "***** timestamp $timestamp" HTTP::respond 302 Location "https://xyz.domain.com/" "client_id" $clientid "client_userid" $userid "client_timestamp" $timestamp Trying to do something like this HTTP::response 302 Location "https://xyz" "http-header client_id $clientid" "http-header client_userid $user ..." } "deny" { ACCESS::respond 401 content "Error: Failure in Authentication" Connection Close } } }Authenticated Sessions at the HTTP level for the iControl API (HTTP Headers?)
We're using i-Control-11.2's Interfaces object and doing some serious pounding of the system. BigIp has no trouble handling the load; however, we're going through a third party authentication/authorization application (TACACS+) which is having trouble keeping up. Is there a way to maintain the Axis HTTP session once authenticated? I tried using the SOAP "session" header but that didn't work. I'm pretty sure that's more of an application-level session. I'm assuming the HTTP X-iControl-Session header will function the same way. I'm wondering if the BigIp web server will respect HTTP session authentication. If anyone out there has any ideas, I'm open to trying them. We may be exploring pooling authenticated tcp connections with keep-alive. I'm really hoping there's a better solution.