Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule for access VIP based on user name

I am configuring VIP and implementing basic authentication method over SSL.  I want to restricte the VIP access based on user account.

In other words, only specific user is allowed to access this VIP, for all the other users, just block their access.

I believe it can be achieved by creating propre iRule based on http:username, but I am unable to find any decent reference or sample to do it.

There is 10 user name in the check list. Can someome give me a sample how to do it?

Thanks in advance

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi,

Here is a 9.x example which prompts the user to enter credentials if valid credentials haven't already been provided. If an auth header has a value, that value is checked against a single base64 encoded user:pass.

http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/13423/afv/topic/Default.aspx#27783

You should be able to modify this for 10.x to support your requirements. Reply here if you want more detailed suggestions.

Or if you just want to check every request for a user name which is defined in a string datagroup, you could use something like this:


when HTTP_REQUEST {  
    
   log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to \ 
     [HTTP::host][HTTP::uri] with auth value: [HTTP::header value Authorization]"  
    
   # Check if there is an authorization header with a length  
   if { [HTTP::header value "Authorization"] eq ""}{

      # No Auth header.  Send a 401 to request credentials?  Or a 403 to block the request?

   } else {

      # Auth header had a value, so check if the username exists in a datagroup of valid users
      if { [class match [HTTP::username] equals my_valid_usernames_class] }{

         # valid request.  Do something?  Or just allow request to go to virtual server's default pool.

      } else {
         # Invalid username.  Send a 401 to request credentials?  Or a 403 to block the request?
      }
   }
}


Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Note that I'm assuming something else behind LTM would actually validate the password is correct for the given username in the latter example.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
George wrote up that very thing back in September: http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086387/HTTP-Basic-Access-Authentication-iRule-Style.aspx Click Here
0