Forum Discussion

raZorTT's avatar
raZorTT
Icon for Cirrostratus rankCirrostratus
Oct 31, 2017

Secure a web service using APM

Hi

 

I'm looking to use the F5 to secure (basic auth) a web service that needs to be called from a .net application.

 

What is the best way to configure something like this, where the "client" isn't a browser?

 

The application doesn't appear to support the 302 redirects that a browser would, so do I need to create a fairly vanilla access profile (logon page - AD Auth - Allow) and then write an irule to send the inital 401 response to the initial request?

 

Cheers, Simon

 

APM
application delivery
web services

2 Replies

Sort By
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Oct 31, 2017

    Hello Simon,

     

    Check the "HTTP 401 Response" action. It will be useful in your case and you won't need to use an irule to make the 401 response.

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-12-1-0/5.html

     

    Your VPE will look like this "HTTP 401 Response" + "AD AUTH" + ending allow or deny

     

    From the HTTP 401 Response you can choose which auhtentication protocol you want to in the HTTP 401 Response Header.

     

    Hope it helps

     

    Regards

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 31, 2017

    Hi,

    Access Policy default behavior is to redirect to /my.policy even if authentication is Basic Auth in VPE.

    you have to use an irule to insert clientless-mode header with value 1

    try this irule with policy logon page - AD Auth - Allow

    when RULE_INIT {
   set static::Basic_Realm_Text "Authentication Required"
}
when HTTP_REQUEST {
    if { ! [ info exists SP_PROFILE_RESTRICT_SINGLE_IP ] } {
        set SP_PROFILE_RESTRICT_SINGLE_IP        [PROFILE::access restrict_to_single_client_ip]
    } 
    if { ( [set sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $sessionid] ) } then {
         Allow the successfully pre authenticated request to pass
        return
    } else {
        if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } {
            set clientless(insert_mode) 1
            set clientless(src_ip)      [IP::remote_addr]
            set clientless(username)    [ string tolower [HTTP::username] ]
            set clientless(password)    [HTTP::password]
            if { $SP_PROFILE_RESTRICT_SINGLE_IP == 0 } {
                binary scan [md5 "$clientless(password)"] H* clientless(hash)
            } else {
                binary scan [md5 "$clientless(password)$clientless(src_ip)"] H* clientless(hash)
            }
            set user_key "$clientless(username).$clientless(hash)"
            set clientless(cookie_list)             [ ACCESS::user getsid $user_key ]
            if { [ llength $clientless(cookie_list) ] != 0 } {
               set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
               if { $clientless(cookie) != "" } {
                  HTTP::cookie insert name MRHSession value $clientless(cookie)
                  set clientless(insert_mode) 0
               }
           }
           if { $clientless(insert_mode) } {
               HTTP::header insert "clientless-mode" 1
           }
        }
    }
}

when ACCESS_SESSION_STARTED {
    if { [info exists user_key] } then {
        ACCESS::session data set {session.user.uuid} $user_key
    }        
    if { [info exists clientless] } then {        
         ACCESS::session data set {session.logon.last.username} $clientless(username)             
         ACCESS::session data set -secure {session.logon.last.password} $clientless(password)   
    }
}


when ACCESS_POLICY_COMPLETED {
    if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } {
        ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Connection close
        ACCESS::session remove
    } 
}