Persist Cookie and Domain Modification iRule question

Question

Hi,&nbsp;
I am newbie to F5 and I am trying to find the following iRule is valid. or How can I achieve something similar to below.&nbsp;
 &nbsp;
In Plain text&nbsp;
 &nbsp;
Browser sends a request to www.foo.com.au/Login/someapp&nbsp;
F5 should intercept and redirect to https://accesscontrol.abc.com.au/Login/someapp&nbsp;
accesscontrol.abc.com.au is a VIP / F5 address  and it should insert a cookie "setRequestAuthnContxt=SOMEKEY"  and domain&nbsp;
to be one level down which is abc.com.au and not the accesscontrol.abc.com.au . Also I would like to see&nbsp;

when HTTP_REQUEST {&nbsp;
    if { [HTTP::host] equals "www.foo.com.au" and [HTTP::uri] starts_with "/Login/someapp" } {&nbsp;
        HTTP::redirect "https://accesscontrol.abc.com.au/Login/someapp [HTTP::host][HTTP::uri]"&nbsp;
    }&nbsp;
}&nbsp;
 &nbsp;
when HTTP_REQUEST {&nbsp;
    if { [HTTP::host] equals "accesscontrol.abc.com.au" and [HTTP::uri] starts_with "/Login/someapp" }&nbsp;
                { when HTTP_RESPONSE {&nbsp;
                                HTTP::cookie insert name "setRequestAuthContxt" SOMEKEY [HTTP::cookie value "old-cookie-name"]&nbsp;
                                HTTP::cookie domain $aCookie .abc.com.au&nbsp;
                }&nbsp;
                HTTP::redirect "https://www.foo.com.au/someapp [HTTP::host][HTTP::uri]"&nbsp;
    }&nbsp;
}&nbsp;
Appreciate your response.&nbsp;
&nbsp;
 &nbsp;

nitass · Answer

is it something like this? 
  
 [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:443
   ip protocol 6
   rules myrule
   profiles {
      clientssl {
         clientside
      }
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
  set mod_ck 0
  if { [HTTP::host] equals "accesscontrol.abc.com.au" and [HTTP::uri] starts_with "/Login/someapp" } {
    set mod_ck 1
  }
}
when HTTP_RESPONSE {
  if { $mod_ck } {
    HTTP::cookie insert name "setRequestAuthContxt" value SOMEKEY domain "abc.com.au"
  }
}
}

set-cookie

[root@ve10:Active] config  curl -Ik https://accesscontrol.abc.com.au/Login/someapp
HTTP/1.1 404 Not Found
Date: Tue, 12 Mar 2013 10:22:49 GMT
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: setRequestAuthContxt=SOMEKEY;domain=abc.com.au;

no set-cookie

[root@ve10:Active] config  curl -Ik https://accesscontrol.abc.com.au/
HTTP/1.1 200 OK
Date: Tue, 12 Mar 2013 10:23:09 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8

fabian_124018 · Answer

The example looks like a similar problem I've got at the moment.&nbsp;
&nbsp;
The example seems to work with a sub-domain within a same domain:&nbsp;
e.g. https://accesscontrol.abc.com.au/&nbsp;
&nbsp;
But how would you get the F5 to use an iRule or iRules to:&nbsp;
1. Detect a referer URL in one domain (like in this example; http://foo.com.au/AppStart/something);&nbsp;
2. use the iRule to redirect to another domain (like in the example; http://abc.com.au/AppStart/something) which is passed back to another F5 VIP;&nbsp;
3. Another iRule would detect the redirected referer URL (like in the example; http://abc.com.au/AppStart/something);&nbsp;
4. Create a cookie called SetRequestAuthnContext (as in the example) with a specific cookie value (like in the example; Something) in the redirected referer domain (like in the example; http://abc.com.au)&nbsp;
5. After setting the cookie in the abc.com.au domain; redirect back to the original referer URL (http://foo.com.au/TheApplication)&nbsp;
6. The original referer URL will read the SetRequestAuthnContext cookie and forwarded their browser to a specific element within a original referer URL.&nbsp;
&nbsp;
It looks like Santhana's rule suggests the above steps yet I'm a little lost when it comes to coding the F5 iRule itself.&nbsp;
Fabian&nbsp;
&nbsp;
 &nbsp;

nitass · Answer

i think it may be easier to understand if you can divide steps into virtual server/irule. so, we can address them one by one.

fabian_124018 · Answer

Here is my first ever attempt at some F5 coding learning from what you started with nitass. 
Am I even close?
Fabian

[root@ve10:Active] config  b virtual foo_website list
 Website No.1 - https://www.foo.com.au/Login/Something
virtual foo_website {
   snat automap
   pool foo
   destination 172.28.19.252:443
   ip protocol 6
   rules redirect
   profiles {
      clientssl {
         clientside
      }
      http {}
      tcp {}
   }
}
 iRule No.1 - https://www.foo.com.au/Login/Something redirecting to https://as.abc.com.au/Login/Something
[root@ve10:Active] config  b rule redirect list
rule redirect {
   when HTTP_REQUEST {
        if { [HTTP::host] equals "www.foo.com.au" and [HTTP::uri] starts_with "/Login/Something" } {
  HTTP::redirect "https://as.abc.com.au/Login/Something [HTTP::host][HTTP::uri]"
  }
}

[root@ve10:Active] config  b virtual abc_website list
 Website No.2 - https://as.abc.com.au/Login/Something
virtual abc_website {
   snat automap
   pool foo
   destination 172.28.19.253:443
   ip protocol 6
   rules setcookie
   profiles {
      clientssl {
         clientside
      }
      http {}
      tcp {}
   }
}
 iRule No.2 - If https://as.abc.com.au/Login/Something then set cookie called setRequestAuthcontext with cookie value of SOMEKEY in the *.abc.com.au domain.  Once the cookie is set then redirect back to https://www.foo.com.au/TheApplication
[root@ve10:Active] config  b rule setcookie list
rule setcookie {
   when HTTP_REQUEST {
  set mod_ck 0
  if { [HTTP::host] equals "as.abc.com.au" and [HTTP::uri] starts_with "/Login/Something" } {
    set mod_ck 1
    HTTP::redirect "https://www.foo.com.au/TheApplication [HTTP::host][HTTP::uri]"
  }
}
when HTTP_RESPONSE {
  if { $mod_ck } {
    HTTP::cookie insert name "setRequestAuthContxt" value SOMEKEY domain "abc.com.au"
  }
}
}

nitass · Answer

1&nbsp;
[root@ve10:Active] config  b rule myrule list&nbsp;
rule myrule {&nbsp;
   when HTTP_REQUEST {&nbsp;
  if { [HTTP::host] equals "www.foo.com.au" and [HTTP::path] starts_with "/Login/Something" } {&nbsp;
    HTTP::redirect "]"&nbsp;
  }&nbsp;
}&nbsp;
}&nbsp;
[root@ve10:Active] config  curl -Ik https://www.foo.com.au/Login/Something/sweet&nbsp;
HTTP/1.0 302 Found&nbsp;
Location: https://as.abc.com.au/Login/Something/sweet&nbsp;
Server: BigIP&nbsp;
Connection: Keep-Alive&nbsp;
Content-Length: 0&nbsp;
2&nbsp;
[root@ve10:Active] config  b rule myrule list&nbsp;
rule myrule {&nbsp;
   when HTTP_REQUEST {&nbsp;
  if { [HTTP::host] equals "as.abc.com.au" and [HTTP::path] starts_with "/Login/Something" } {&nbsp;
    HTTP::respond 302 Location "https://www.foo.com.au/TheApplcation" "Set-Cookie" "setRequestAuthContxt=SOMEKEY; path=/; domain=.abc.com.au"&nbsp;
  }&nbsp;
}&nbsp;
}&nbsp;
[root@ve10:Active] config  curl -Ik https://as.abc.com.au/Login/Something/sweet&nbsp;
HTTP/1.0 302 Found&nbsp;
Location: https://www.foo.com.au/TheApplcation&nbsp;
Set-Cookie: setRequestAuthContxt=SOMEKEY; path=/; domain=.abc.com.au&nbsp;
Server: BigIP&nbsp;
Connection: Keep-Alive&nbsp;
Content-Length: 0&nbsp;

Forum Discussion

Persist Cookie and Domain Modification iRule question

5 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Health monitor question

F5 Connection Mirroring question

Decoding the IPv4 address from the persistence cookie

Setting up persistence in F5 XC

Novice Question - irules