Forum Discussion
Nicolas_Destor
Jun 21, 2018Cirrostratus
Use the event ACCESS_POLICY_AGENT_EVENT instead of ACCESS_ACL_DENIED. Then call your method inside APM using "iRule Event" box with the name of your method present in the iRule attached to the VS.
Here below an example of an iRule that can match your need to assign dynamically an L4 ACL for HTTP/HTTPS ressources:
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "set_dynamic_acl" } {
set hostname [ACCESS::session data get session.custom.hostname]
set ip [lindex [RESOLV::lookup @$static::dns $hostname] 0]
set protocol [ACCESS::session data get session.custom.protocol]
if { $protocol == "http" }{
ACCESS::session data set session.dyn_acl "{ allow tcp any $ip:80 }"
}
if { $protocol == "https" }{
ACCESS::session data set session.dyn_acl "{ allow tcp any $ip:443 }"
}
}
}
The variable "session.dyn_acl" created by this method must be used in a "Dynamic ACL" box after iRule-event call.