Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Variable assignment in irule

Dear All,

I need to set an irule variable in the HTTP_RESPONSE based on a condition, and make a decision on the next HTTP_REQUEST based on the variable value and unset the variable.

The problem is that the variable value that was set on HTTP_RESPONSE does not get reflected in the next HTTP_REQUEST. What should I do to make the variable hold its value.

example:

when HTTP_REQUEST { if { [ info exists var] and $var eq 1 }{

do something

unset var } }

when HTTP_RESPONSE { if { [HTTP::status] contains 302 and [HTTP::header "Location" ] eq "/vdesk/hangup.php3" } { set var 1 } }

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Guy,
use a custom session variable in your iRule like the following:

when HTTP_REQUEST { 
if { [ACCESS::session data get session.custom.var] eq "1" }{
    do something
    ACCESS::session data set session.custom.var ""
}
}
when HTTP_RESPONSE { 
if { [HTTP::status] contains 302 and [HTTP::header "Location" ] eq "/vdesk/hangup.php3" } 
{   
    ACCESS::session data set session.custom.var "1"
}
}   
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The problem with your code is the next request can be in a different tcp connection... so the variable is not shared between response and request...

Http response can be with http 1.0 version which means the tcp connection close just after response...

0
Comments on this Answer
Comment made 2 months ago by Chandru 01 60

Actually I am trying to implement OTP solution for a web application that is hosted via mobile fabric for mobile solution which is already on PROD. The web application or the mobile fabric does not have any knowledge about the OTP, and is silently handled by F5 (2).

(1) Mobile App -> (2) F5 -> (3) Mobile Fabric -> (4) F5 -> (5) Web App

F5 (2) has the APM enabled which is integrated with our OTP solution. Mobile Fabric is also a kind of reverse proxy, which handles traffic based on service calls through JSON request/response.

When accessing the mobile application, the user enters the username and password in the 1st screen, and gets authenticated by the Web App (5) which is again a service call handled by the Mobile Fabric (3). At this phase the APM in F5 (2) is not enabled.

Now a custom page for the mobile app is created in the Mobile Fabric (3) to enter the OTP, and the Mobile Fabric (3) will accept, but not validate the data though ( checks only for the OTP length). F5 (2) captures the data and extracts the username and OTP via irule and validates the user in the OTP solution.

If OTP auth is successful, the OTP code is sent as a JSON payload from F5 (2) via sideband connectivity to the Mobile Fabric (3), and then the user is directed to the application access.

If OTP auth fails, F5 (2) will send a custom JSON payload for incorrect OTP, and terminates the session.

The issues is that the management wants a minimum of 5 attempts for OTP auth before closing the connection. I am not able to implement the Macro loop with much success (F5 ver 12.1). I am trying to overcome this I have two VIPs configured for this application (one without APM and other with APM), to manipulate the APM response and maintain the session for implementing the failure reattempt of 5 counts.

Any ideas or suggestions?

0
Comment made 2 months ago by jurgenvdmark@gmail.com 122

Use tables (https://devcentral.f5.com/wiki/iRules.table.ashx). One extra advantage of tables is that you can use them cross-virtuals and cross iRules.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

You have the opportunity to use the functionnality (OTP Verify) in vpe that allow you to activate 5 attempts. Or create via an empty box your need (verify your otp with loop:5)

First of you use F5 native solution? for OTP.

Why you can't use OTP Verify that allow you 5 attempts...

regards

0
Comments on this Answer
Comment made 2 months ago by Chandru 01 60

We have Gemalto otp solution, and I don't think if we can use OTP verify here. But when I try macro loop, doesn't work for me as I am not setting it up right. For OTP solution verification I use radius auth in vpe. Any used case example for macro loop using radius auth?

0
Comment made 2 months ago by youssef 3588

In this case why you don't use radius functionnality in VPE:

you don't need to use loop, you can do it nativly with Radius Auth:

Image Text

0
Comment made 2 months ago by Chandru 01 60

The problem is the radius auth in my configuration fetches the input from the irule preceding it. for a wrong attempt, I need to rely on my irule to respond with a JSON payload about the failure to the user for a retry. I am not sure on how to achieve this by setting the max logon attempt setting in radius auth.

0
Comment made 2 months ago by Chandru 01 60

OTP -> LTM irule to fetch the credentials -> radius auth -> irule to send the failure JSON

0
Comment made 2 months ago by Chandru 01 60

So just wanted to assign a variable for the response, and perform the next request action based on the variable value. Not working though.

0
Comment made 2 months ago by Chandru 01 60

Image Text

0