Forum Discussion

Mike_Roe_60070's avatar
Mike_Roe_60070
Icon for Nimbostratus rankNimbostratus
Nov 23, 2010

APM irule: remote login page needs referer

Hi all, We have a need to hide all our apps behind a single login application and are using a remote login page in an APM policy to do this. The problem is that this login app needs some way of finding out which of our 500+ sites the request originated from. We were hopeful that we could just use the referer header but, as the firt hop in this process is the F5 VIP that the policy is assigned to the referer shows http://my.app.com/my.policy.

 

 

My best (and only) idea is to somehow attach a cookie in when the access session is created but, being a noob all I seem capable of is logging the original referer but I have been unsuccesful creating a cookie with that value in it that the remote login app can use. My attempt is below:

 

 

when ACCESS_SESSION_STARTED {

 

set orig_referer [HTTP::header value Referer]

 

log local0. "Referer: $orig_referer"

 

HTTP::cookie insert name "orig_referer_cookie" value $orig_referer path "/"

 

}

 

 

 

Any help making this one work would be very appreciated.

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 24, 2010
    Hi Mike,

    You've succeeded in inserting a cookie into the request. This would be sent to the pool member and probably ignored.

    I think you could set a variable to track the value to insert in ACCESS_SESSION_STARTED and then do the cookie insert in HTTP_RESPONSE. 

    
when ACCESS_SESSION_STARTED {
   set orig_referer [HTTP::header value Referer]
   log local0. "Referer: $orig_referer"
}
when HTTP_RESPONSE {

    Check if orig_referer is set
   if { [info exists orig_referer] }{

       Insert the cookie in the response
      HTTP::cookie insert name orig_referer_cookie value $orig_referer path "/"

       Unset the variable so we only set the cookie once
      unset orig_referer
   }
}

    If you're using the cookie for access control, you might want to encrypt it. You can do this by setting the cookie name in a custom HTTP profile for 'cookies to encrypt'. Or you could do it manually using 'HTTP::cookie encrypt|decrypt':

    http://devcentral.f5.com/wiki/default.aspx/iRules/http__cookie

    Aaron
  • Mike_Roe_60070's avatar
    Mike_Roe_60070
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2010
    Thanks Aaron! I have tried this and it is still not working as planned so I put a line in the "when HTTP_RESPONSE" section to log the orig_referer variable and it does not seem to be there. Is it possible that the variables set in the "when ACCESS_SESSION_STARTED" cant exist in the "when HTTP_RESPONSE" section?

     

     

    Thanks

     

    Mike
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 24, 2010
    That might be true. I haven't played around with APM to know for sure. Maybe someone else can clarify.

     

     

    Can you clarify how/under what circumstances you want to tell the login app which hostname the client started with? Is this a separate application running behind APM? Do all requests go through this application or just some?

     

     

    Depending on when the info needs to be inserted into a cookie, it's possible you could add the start page as a session variable in ACCESS_SESSION_STARTED using something like:

     

     

    ACCESS::session data set session.custom.referer [HTTP::header Referer]

     

     

    Aaron
  • Mike_Roe_60070's avatar
    Mike_Roe_60070
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2010
    So the access policy refers to a remote login page which in this case is an app. That app needs to know which site you are coming from so that it can display some images and look/feel of that site. then it posts creds back to the access policy and is passed into the correct pool. Basically for the login page to act properly it needs to know that the request originated from www.mydaytonstore.com or www.mycincinnattistore.com and this the only way I can come up with to accomplish it. I had thought of setting it as session datatoo but I cant figure out how to get the session data out of the session and into the login app.?.

     

     

    Thanks again for your help! It isnt easy fora noob.. =)