how to combine two irules and trigger the latter only when the first does not
I have two irules, one to do user id injection( for an IDP auth user using our access policy ) and the other one to do a logout-call to the IDP server. Now, the requirement is to do user injection only when the user is still logged in and not after the user has logged out of the IDP. Based on this requirement, I would like to trigger the user-injection irule only when the logout-call is not still invoked by the user. Is there a way we can accomplish this either may be through settings any variables across irules or if not by combining the irules first and trying with setting the variables globally. Here are the two irules, Logout-call irule: when HTTP_REQUEST { set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"} { if { [HTTP::uri] contains "post_logout_redirect_uri" } { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" } else { # log local0. "logout uri not contains post_logout_redirect_uri parameter" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } } elseif { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"} { if { [HTTP::uri] contains "post_logout_redirect_uri" } { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" } else { # log local0. "logout uri not contains post_logout_redirect_uri parameter" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } } } User Identification Injection irule: when HTTP_REQUEST { #If already exists ,consider it malicious attempt and remove the headers HTTP::header remove F5-auth-User-Id HTTP::header remove F5-auth-Tenant-Id #set variables from access policy and insert headers to send to backend set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"] set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"] set uri [string tolower [HTTP::uri]] HTTP::header insert "F5-auth-User-Id" $OID HTTP::header insert "F5-auth-OID" $OID HTTP::header insert "F5-auth-Tenant-Id" $TID HTTP::header insert "F5-auth-User-email" $user2 log local0. "$OID: [HTTP::header value $OID]" log local0. "$TID: [HTTP::header value $TID]" log local0. "$user2: [HTTP::header value $user2]" log local0. "LOG INFO: $OID" log local0. "LOG INFO2: $TID" log local0. "LOG INFO3: $user2" }
Inserting Iframe in Header for one of URL
Dear Community, We have a VIP on which 15 URLs are terminated, now the request is to allow iFrame headers in one of URL. Please suggest how we can add on one URL. Need to apply iFrame iRuel for header insertion on URL: utilesourcedev.test.com Existing iRULE: when CLIENT_ACCEPTED { #If http is detected, disable the Clientside Profile #This is needed because the SSL Profile is configured as enabled by default on the VIP if { [TCP::local_port] == 80 }{ SSL::disable clientside } #If https is detected, enable the Clientside Profile (Enabled by Default) if { [TCP::local_port] == 443 }{ SSL::enable clientside } } when SERVER_CONNECTED { if { [TCP::server_port] == 80 }{ SSL::disable serverside } } when HTTP_REQUEST { if {([TCP::local_port] == 80) and ([string tolower [HTTP::host]] != "utilities.test.com") and (not ([string tolower [HTTP::uri]] contains "portal/webserv/dominion/msaqd.cfm")) and (not ([string tolower [HTTP::uri]] contains "portal/webserv/dominion/proddata.cfm")) and (not ([string tolower [HTTP::uri]] contains "portal/webserv/dominion/msaq.cfm"))}{ HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] return } switch -glob [string tolower [HTTP::host]] { "utilesource.test.com" { node 1.1.1.1:443 } "utilesourcedev.test.com" { node 1.1.1.2:443 } "utlmfprd01.test.com" { #Might need to put an exclusion for the http redirect for this site. SSL::disable serverside node 1.1.1.3:80 } "access360.test.com" { node 1.1.1.4:443} "wsecomm.test.com" { node 1.1.1.5:443} "amisvcs.test.com" { SSL::disable serverside node 1.1.1.6:8080 } "qual-amisvcs.test.com" { SSL::disable serverside node 1.1.1.7:8084 } "amisvcs-i.test.com" { SSL::disable serverside node 1.1.1.8:8081 } } } iFrame Header Insertion iRule: when HTTP_RESPONSE { if { not([HTTP::header exists "X-Frame-Options"])}{ HTTP::header insert X-Frame-Options {ALLOW-FROM https://s1-2.ariba.com} } else { HTTP::header replace X-Frame-Options {ALLOW-FROM https://s1-2.ariba.com} } }
F5 redirect context path to APACHE Web Server.
Hi there, I’m assisting one of my customer to integrate our software with F5. I was told that currently, F5 is configured using the Context Path (/abc) which redirect to my application’s APACHE Web Server (abc.com.au). We are not getting much help from customer’s F5 team as was told too difficult to configure iRule in F5. F5 is configured as below: e.g. https://example.com.au/abc - > https://abc.com.au:443 My abc.com.au Application is installed and configured based on abc.com.au (APACHE and TOMCAT) host name. So to login to my abc.com.au application end user uses https://example.com.au/abc/login (/login is my application’s context path) Now, back end APACHE is configured as below which make a connection to TOMCAT: ProxyPass /login balancer://abc.com.au_Cluster/login ProxyPassReverse /login balancer://172.31.16.26_Cluster/login <Proxy balancer://abc.com.au_Cluster> BalancerMember http://abc.com.au:8080 route=eda9a7ffce499a0ce772f6bef06f84be_Server1 ProxySet scolonpathdelim=on stickysession=eda9a7ffce499a0ce772f6bef06f84be_Cluster </Proxy> Since in header original request (https://example.com.au/abc/login) is passed to my application’s Web APACHE server; my application does not like it since all configurations are based on abc.com.au. So in F5 is there a way to Rewrite the Request header or any other options from https://example.com.au/abc/login to https://abc.com.au/login so my application “abc.com.au” only see Request is coming from https://abc.com.au but not from https://example.com.au and end users browser only see F5 URL (https://example.com.au). We have achieved similar requirements in Ngnix using below rule somewhere else: #If using https, use block below server { listen 443 ssl; # Proxy traffic server_name example.com.au; ssl on; if ($is_denied){ return 404; } location / { return 404; } location /abc/login { proxy_pass https://abc.com.au/login/; } } Thank you for your assistance.
Following order in Irule processing.
Hi, we have the following irule that thanks to a Dev Central user is working well but I have an additional question. Can someone help me add logic that allows the rule to process in order of granularity? For example, if a user connects with the path of /blah/*/blah2 do not care about the ip block but if only /blah then I do care... I need 3 different possibilities that all include /blah somewhere in the path but 2 specifics that should not have the IP block applied. when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/blah" } { if { ! [class match [IP::client_addr] equals allowed_IPs]} { log local0. "[IP::client_addr]:[TCP::client_port] does not match the allowed IP list" discard } } }