APM AdAuth HTTP Header Insert iRule Switch Statement
Hi folks, first forum post here, looking for a hand with iRules!
Currently when a user connects from their PC to the Virtual Server, as part of the Access Policy they are presented with an Logon Page, which authenticates with AD Auth, and upon successful authentication, the traffic is passed and a header is inserted with their username via an iRule. This HTTP header is required for the backend service to work. It uses the following iRule to apply this:
when ACCESS_ACL_ALLOWED
{
HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"]
}
We have two other devices that want to access this virtual server but do not need the username header to be inserted, as it is already present, so would like to pass these devices straight through without applying the header again, based on their source IPs. This is what I've come up with:
when ACCESS_ACL_ALLOWED
{
switch [IP::cliemt_addr]{
"10.0.0.1" -
"10.0.0.2" { //do nothing }
default {
HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] }
}
}
I am not well versed with iRules, but believe this should work, but would like some confirmation/advise if something better can be done! Thanks in advance.
As Jason said, there are many ways to do this and your method looks fine. But note your typo in IP::client_addr. And it is good practise to use -- to terminate switch options.
You could also do this by checking whether the header already exists
when ACCESS_ACL_ALLOWED { if { ! [HTTP::header exists iv-user] } { HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] } } }
Doh! My bad, thanks for that. I did find that the F5 does not like:
// do nothing
within those braces, so I have omitted the contents and left it as:
when ACCESS_ACL_ALLOWED { switch -- [IP::client_addr] { "10.0.0.1" - "10.0.0.2" {} default { HTTP::header insert "iv-user" [ACCESS::session data get "session.logon.last.username"] } } }
This should be okay right?