mikegray_198028
Oct 11, 2018Cirrus
irule help
Team,
i have one requirement for url based client authentication. like enable client auth only for /app and /app1.
no client auth required for any other path
Edit: Just realized you said you don't have APM. Woops.
I have a similar use case. I have one VIP that I hang multiple websites off of. When someone goes to a certain URI, it starts and APM session and they log in with their certificate through APM, flow through VPE etc.
My default switch has ACCESS::disable which allows everyone initially. If someone goes to a specific URI, it sets a custom variable, if that variable exists, access is enabled for the remainder of their session.
One thing that I did have to configure the APM VPE at the client cert prompt: if it failed and the http host value was that public site, I had it redirect to the public site homepage so the user didn't get some f5 APM error. I am not sure how to do that in an iRule.
my iRule looks something like this:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
"www.site1.com" {
pool pool1
switch -glob [string tolower [HTTP::uri]] {
"*app" {
log local0. "inside app uri switch"
ACCESS::enable
set uri 1
ACCESS::session data set session.ssl.custom.cac.uri $uri
} "*app1*" {
log local0. "inside app1 uri switch"
ACCESS::enable
set uri 1
ACCESS::session data set session.ssl.custom.cac.uri $uri
} default {
log local0. "inside default switch"
if { [info exists [ACCESS::session data get session.ssl.custom.cac.uri]] } {
ACCESS::enable
log local0. "default access exists [ACCESS::session data get session.ssl.custom.cac.uri]"
} else {
ACCESS::disable
}
}
}
}
"www.site2.com" {
pool pool2
SSL::disable serverside
ACCESS::disable
}
}
Not sure if there's anything wrong about doing it this way, or if there's a better way, but it is working for me. Feedback appreciated.