How to control access to multiple webapps behind a single virtual server using AD groups

Question

I have a number of webapps behind a single virtual server. Access to each webapp should be granted based on group membership in an AD group.
Example:
VirtualServer1(Extranet.example.test)  
    Webapp1(Extranet.example.test\webapp1)  
        members of AD\Webapp1-access group should only have access to this webapp
    Webapp2(Extranet.example.test\webapp2)  
        members of AD\Webapp2-access group should only have access to this webapp
    Webapp3(Extranet.example.test\webapp3)  
        members of AD\Webapp3-access group should only have access to this webapp

What is the best way to accomplish this?
Currently, I use iRules to direct traffic based on the path\uri to the correct application pool. When I assign an Access Policy to VirtualServer1, I can control authentication based on the Landing URI variable, but once authenticated a user is able to gain access to any one of the 3 apps. It seems Access Policies are not able to be assigned dynamically via iRules. I started to test using a separate 'Internal Virtual Server' for each app but am unable to assign an HTTP profile and Access Policy to this type of Virtual Server either. What am I missing, is there a better way to accomplish this?
Thanks,
Dan

brad_parker · Answer

Take a look at this article, should be able to do exactly what you are looking for.&nbsp;
https://devcentral.f5.com/articles/apm-security-protecting-internal-resources-using-acls&nbsp;

dan_ezell · Answer

Any insight on how to apply this procedure to resources/webapps assigned via iRules in a VirtualServer(vs. resources assigned via Portal Access like the article is written for)?&nbsp;
Thank you,&nbsp;
Dan&nbsp;

brad_parker · Answer

You could try something like this:
when HTTP_REQUEST {
    if {[string tolower [HTTP::uri]] starts_with "/webapp1"}{
        if {not ([ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=Webapp1-access")}{
            HTTP::respond 403
        }
    }
    elseif {[string tolower [HTTP::uri]] starts_with "/webapp2"}{
        if {not ([ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=Webapp2-access")}{
            HTTP::respond 403
        }
    }
    elseif {[string tolower [HTTP::uri]] starts_with "/webapp3"}{
        if {not ([ACCESS::session data get session.ad.last.attr.memberOf] contains "CN=Webapp3-access")}{
            HTTP::respond 403
        }
    }
}

Forum Discussion

How to control access to multiple webapps behind a single virtual server using AD groups

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

JWT authorization with NGINX Ingress Controller

Distributed caching of authentication requests with NGINX Ingress Controller

Provide Content of different Webapps with one Virtual Server

Use F5 Distributed Cloud to control Primary and Secondary DNS

ExternalName Service and Authentication Subrequests with NGINX Ingress Controller