Adrien_Legros_1
Feb 07, 2011Altostratus
TCL error with local variable
Hi, I have a problem with the following Irule. Here are some explanations about the flow:
1) The client sends a request that must be authenticated. He will be redirected to an url on the same VIP with a different URI (/loginproxy/...). To keep the initial url, we save it in the variable ROAD (case 3).
2) On this server, the client will receive a cookie to proove ha has been authenticated. Now He must be redirected to the initial url that was saved in the variable ROAD. This redirection is based on the content of the header ROAD.
3) The client goes to the initial URL.
The problem is:
when I use global variable for ROAD, sometimes, 2 differents clients that goes to 2 differents URLs are exchanging the initial url, due to the global variable.
When I use local variabla (as now), I receive a TCP error saying that ROAD is not known when inserting in the headers (case 3).
How can I correct it or keep the initial url value?
Thanks for your help.
when RULE_INIT {
set road "vide"
set target "vide"
}
when CLIENT_ACCEPTED {
log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"
}
when HTTP_REQUEST {
Debug variable. 0=Debug disabled, 1=Debug Enabled
set debug 1
set cert [SSL::cert 0]
Modify this to change the Application name sended to the error pages
set app_name "App1"
If no client certificate is reveived, the client is redirected to the error page
if {$cert eq ""} {
if {$debug == 1} {
log "no cert"}
HTTP::redirect "http://www.XXX.be/Error/certificate_reject.aspx?errCode=99&appName=$app_name&subject=None&issuer=None&validFrom=None&validTo=None" }
else {
When we receive a certificate
set result [SSL::verify_result]
set sujet [X509::subject $cert]
set issuer [X509::issuer $cert]
set serial [X509::serial_number $cert]
set debut [X509::not_valid_before $cert]
set fin [X509::not_valid_after $cert]
We first verify the validity. if the result is different than 0, we redirect the client to the error page
if {$result > 0} {
if {$debug ==1} { log "verify error - result = $result"}
HTTP::redirect "http://www.XXX.be/Error/certificate_reject.aspx?errCode=$result&appName=$app_name&subject=$sujet&issuer=$issuer&validFrom=$debut&validTo=$fin" }
else {
Then we verify the Issuer. If it not a trusted issuer listed in the DATA GROUP trusted_issuers, we redirect to the error page
if {not [class match $issuer contains trusted_issuers]} {
if {$debug == 1} {
log "not a trusted issuer - $issuer"}
HTTP::redirect "http://www.xxx.be/pub/App/Error/certificate_reject.aspx?errCode=$result&appName=$app_name&subject=Wrong_Issuer&issuer=$issuer&validFrom=$debut&validTo=$fin"
}
else {
if {$debug == 1} {
log "trusted issuer" log "Insert Certificate into the headers" }
Everything is fine, we can insert the certificate info in the headers
HTTP::header insert x-nbbcertsubject [X509::subject $cert]
HTTP::header insert x-nbbcertissuer [X509::issuer $cert]
HTTP::header insert x-nbbcertserial [X509::serial_number $cert]
HTTP::header insert x-nbbclientip [IP::client_addr]
Loadbalancing and pool selection based on the URI.
CASE 1 if {([HTTP::uri] starts_with "/soap/mfi")}{
if {$debug eq 1}{log local0. "1 Direct Request to [HTTP::uri]"}
HTTP::uri "/mifidws[HTTP::uri]"
set road "[HTTP::host][HTTP::uri]"
set target "MIFIDWS"
pool SecureProxy
}
elseif {([HTTP::uri] starts_with "/MIFID/invoke") or ([HTTP::uri] starts_with "/mifid/invoke")}{
CASE 2 if {$debug eq 1}{
log local0. "2 Direct Request to [HTTP::uri]"}
HTTP::uri "/mifidb2b[HTTP::uri]"
set road "[HTTP::host][HTTP::uri]"
set target "MIFIDB2B"
pool SecureProxy
}
elseif {([HTTP::uri] starts_with "/loginproxy") }{
CASE 3 if {$debug eq 1}{log local0. "3 Direct Request to [HTTP::uri]"}
HTTP::header insert target $road
HTTP::header insert x-targetapp $target
pool SecureProxy }
else {
if {$debug eq 1}{log local0. "4. Normal Request to [HTTP::uri]"} HTTP::redirect "http://www.google.be" } } } } }