SSL only when auth - HTTPSSLHTTP

Question

Hi, 
&nbsp;  
&nbsp; I'd like to (re)produce the following behavior :  
&nbsp;  
&nbsp; When a client sends an HTTP request to a website called "host", the intermediate BigIP requires an SSL connexion (redirect client to HTTPS://host). The BigIP then asks the login and password of the client (there is an LDAP authentication profile on  the HTTPS virtual server). Then, if the authentication is successful (AUTH_SUCCESS), the BigIP allow the client to connect to the website "host" using HTTP (redirect to http://host).   
&nbsp;  
&nbsp; The purpose of this is to confine the use of SSL to the authentication process.  
&nbsp;  
&nbsp; Here is my target configuration :  
&nbsp;  
&nbsp; STEP1 :  
&nbsp; A virtual server "HTTP_1" to which the client sends a 1st HTTP request (URL = HTTP://host/f5). "HTTP_1" redirects the client to HTTPS://host/ (with an iRule).    
&nbsp;  
&nbsp; STEP2 :  
&nbsp; A virtual server "HTTPS_1" to which are sent the requests to HTTPS://host/. "HTTPS_1" should redirect the client to HTTP://host only if the authentication is successful (AUTH_SUCCESS). 
&nbsp;  
&nbsp; STEP3 : 
&nbsp; The virtual server "HTTP_1" collects the HTTP request destined to HTTP://host (profile) and forwards them to the pool containing the "host".   
&nbsp;  
&nbsp;  
&nbsp; I manage step 1 and 3 but fail to produce step 2. I can't find an iRule doing step2... 
&nbsp;  
&nbsp;  
&nbsp; Thanks for your help. 
&nbsp;  
&nbsp; Regards, 
&nbsp;  
&nbsp;  
&nbsp; Vincent 
&nbsp;

hooleylist · Answer

Hi Vincent, 
&nbsp;  
&nbsp; If the two VIPs are on the same domain, you could use a cookie to track that the client has successfully authenticated against the auth server and redirect the client to the HTTP VIP.  You could then check for that cookie on the HTTP VIP before redirecting the client back to HTTPS.  From a security standpoint, you could try encrypting the client User-Agent header value with a timestamp and use that for the cookie.  On requests, if the cookie value can be decrypted, the user-agent header from the cookie matches the client's user-agent and the timestamp is newer than some session timeout value, you would consider the auth cookie as valid. 
&nbsp;  
&nbsp; Also, in 9.4+ the four AUTH_ events have been deprecated in favor of a single event, AUTH_RESULT (Click here). 
&nbsp;  
&nbsp; You can get a few examples from the Codeshare for doing auth: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHttpCookie.html 
&nbsp;  
&nbsp; And you can check the default LDAP auth rule, _sys_auth_ldap. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

SSL only when auth - HTTP>SSL>HTTP

1 Reply

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

HTTPS > 50000 port translation with SSL termination

Rewriting HTTP redirection with HTTPS->HTTPS (SSL-to-Server feature) does not func.

Rewriting HTTP redirection with HTTPS->HTTPS (SSL-to-Server feature) does not func.

In 5 Minutes or Less - Enterprise Manager v2.2

Drive Identity Into Your Network with F5 Access Solutions