Application access basic authentication using irule
We are using Big IP LTM version 11.1.0
Need to introduce an authentication before accessing an application (virtual server) so as to restrict the application access to a limited users if accessed from internet. Found some documentation on accomplishing this using iRule and data group. But since i am new to iRule, i am not able to configure the same properly and also some of the documents talks about syntax difference between LTM versions. Following is the example refereed..
Create “authorized_users” data group with the username and corresponding md5 password hash for the user using Linux
For each user create login and password entry in the “authorized_users” data group. as in Example:
Create the iRule with following code
when HTTP_REQUEST {
binary scan [md5 [HTTP::password]] H* password
if { [class lookup [HTTP::username] $::authorized_users] equals $password } {
log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]"
} else {
if { [string length [HTTP::password]] != 0 } {
log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
}
HTTP::respond 401 WWW-Authenticate "Basic realm="Secured Area""
event HTTP_REQUEST disable
SSL::session invalidate
}
}
But when tried to create a data group using webgui, the options available was address, integer and string. Also as mentioned above some documents refers to some syntax difference while using class in iRules between versions.
A step by step support to achieve the configuration is highly appreciated.
It worked.. thanks for the guidance and quick response.
But after inserting the iRule, we faced another issue. We were using below iRule for some pool mapping. But after introducing the new rule for authentication, the application screen is not displaying properly. Following is the existing rule.
when HTTP_REQUEST {
------------Attachement related modification------------------------------------
event enable all
if {[HTTP::uri] contains "OpenElement"} {
event HTTP_RESPONSE disable
event HTTP_RESPONSE_DATA disable
}
regexp -nocase {http://(dlbmail(1|2)(cl)?)\.dhanbank\.com/(.*)} [HTTP::header "Location"] match l m o n
HTTP::header replace "Location" "http://webmail.dhanbank.com/$l/$n"
log local0. "Backend server redirection on DLBMAIL pool- POST MOD = [HTTP::header "Location"]"
}
if{([info exists a]) and ( $a ne "")} {
regsub -nocase {^/(?!dlbmail(01|02))(.*)} [HTTP::header "Location"] {/$a/\1}
}
}
if {[HTTP::header "Content-Type"] starts_with "text/"} {
set cl [HTTP::header "Content-Length"]
if {not($cl equals "")} {
HTTP::collect $cl
}
}
}
when HTTP_RESPONSE_DATA {
if {[info exists mlock]} {
if {$mlock == 1} {
regexp -nocase {http://(dlbmail((1|2)(cl)?)).dhanbank.com/([^"]*)} [HTTP::payload] match ml nuc nu uc uri
log local0. "Match detected URI = $match"
log local0. "Match detected ML= $ml"
log local0. "Match detected NU= $nu"
log local0. "Match detected URI= $uri"
set usr [string range $uri [expr [string last / $uri] +1] [expr [string last "nsf" $uri] -2]]
regsub -nocase -all {http://(dlbmail(1|2)).dhanbank.com/} [HTTP::payload] {http://webmail.dhanbank.com/\1/}
set mlock 0
HTTP::cookie insert name UTAG value "[string toupper DLBMAIL0$nuc]:$usr" domain .dhanbank.com path "/"
log local0. "Retreival complete and cookie UTAG inserted =[string toupper DLBMAIL0$nuc]:$usr"
}
if {$mlock matches_glob "DLB*"} {
HTTP::cookie insert name MTAG value "$mlock" domain .dhanbank.com path "/"
log local0. "Passing the HANDLE for IMPLICIT Pool selection MTAG = $mlock"
}
}
set pl [HTTP::payload length]
regsub -nocase -all {http://(dlbmail((1|2)(cl)?))\.dhanbank\.com/} [HTTP::payload] {http://webmail.dhanbank.com/\1/} nplw
regsub -nocase -all {dlbarchive\.dhanbank\.com} $nplw {webmailarch.dhanbank.com} nplw
HTTP::payload replace 0 $pl $nplw
HTTP::release
Just a quick question. Your thread topic is asking about HTTP Basic auth, but it would appear your application is doing forms-based auth. Are you trying to replace the form and use accounts local to the F5?