Hi, I´m trying to do an Irule to encrypt and decrypt the URI with a cookie value as key. But it´s not working as expected, somebody as any opinion about these irule? when HTTP_REQUEST { set uri [HTTP::uri] set host [HTTP::host] if { [HTTP::cookie exists "JSESSIONID"] } { if {not ([catch { AES::decrypt [HTTP::cookie value "JSESSIONID"] [b64decode $uri] } decrypted])}{ log local0. "session: $IDkey uri $uri decriptada: $decrypted" HTTP::uri $decrypted set uri $decrypted } } } when HTTP_RESPONSE { if { [HTTP::cookie exists "JSESSIONID"] } { set encrypted [b64encode [AES::encrypt [HTTP::cookie value "JSESSIONID"] $uri]] log local0. "session: $IDkey uri: $uri encriptada: $encrypted" HTTP::header replace Location "$encrypted" } }

First, it's always helpful if you give us more info to go off of than that something just isn't working as expected. Including details on HOW it's misbehaving, error log entries, etc. is very helpful. That being said, it doesn't look like you're setting the value of decrypted anywhere. This would make it pretty hard to use that to update the uri later. Try changing the HTTP_REQUEST section to something like: when HTTP_REQUEST { set uri [HTTP::uri] set host [HTTP::host] if { [HTTP::cookie exists "JSESSIONID"] } { set decrypted [AES::decrypt [HTTP::cookie value "JSESSIONID"] [b64decode $uri]] if { [string length $decrypted] > 1 } { log local0. "session: $IDkey uri $uri decriptada: $decrypted" HTTP::uri $decrypted set uri $decrypted } } } I think that'll get you closer to the result you're looking for. That's a pretty interesting use of a cookie as a key. I'd love to hear how it works out for you once you get it up and running. Colin

sorry for my mistake Colin, the main problem is with the decrypt part in http_request, the response encryption i think is working, but I´m in trouble to identify when a uri was previously encrypted or not, if the URI wasn´t encrypted before, there´s no reason for me to decrypt it. If I undertand well if the string wasn´t encrypted the decripted variable will be empty. Is that right? other question, on the decryption line i´m getting the error Jan 29 15:23:44 tmm tmm[3789]: 01220001:3: TCL error: Rule irule_encrypt_uri - conversion error invoked from within "b64decode $uri" it´s happening because the uri wasn´t previously encrypted or this function wasn´t supported this way, the line that invoke this error is this: set decrypted [AES::decrypt [HTTP::cookie value "JSESSIONID"] [b64decode $uri]] I think if I can put a control to define when a uri is encrypted I can solve the problem easily.

Couldn't you just uncomment the line that checks for the JSESSIONID cookie? Wouldn't every incoming connection that's had that cookie set by the server have the encrypted URI? Colin

So far, you've tried to encrypt the Location field in 302 redirects. This doesn't handle the links in the response content. I'm not sure why you'd only want to encrypt the redirect links but not the response content links. Trying to encrypt the response content links wouldn't be so easy. You could try doing this using a regular expression to identify links. You could configure this regex as a STREAM::expression and encrypt the links in the STREAM_MATCHED event. You would not want to encrypt links to URI's that users could legitimately start accessing the application at. In requests, you could check the requested URI against the defined start pages. If it's not a defined start page, then you try to decrypt the path. You can check the stream related pages for examples on using a stream profile to rewrite response content (Click here). Aaron

encrypt/decrypt URI | DevCentral

11 Replies

ukstin

Nimbostratus

Feb 25, 2009

I´ve changed a little the scope of the irule, instead of encrypt/decrypt de URI, I create a cookie (encrypted) to control the access of a specific pool.

In the default pool, the application already has an authentication control, but the other pool is called by de default one and has no user session or any type of control, so without the irule any internet user could access the application. the last version of the irule is listed below:

  
 when RULE_INIT {  
 set ::cookiename "JSESSIONKEY"  
 set ::aeskey [AES::key 128]  
 }  
 when HTTP_REQUEST {  
 set collect_payload 1  
 set http_query [findstr [HTTP::query] "key=" 4 end]  
 set http_uri [string tolower [HTTP::uri]]  
 if { [HTTP::cookie exists $::cookiename] } {  
 set collect_payload 0  
 }  
 if { $collect_payload } {  
  Sem Chunk  
 if { [HTTP::version] eq "1.1" } {  
 if { [HTTP::header is_keepalive] } {  
 HTTP::header replace "Connection" "Keep-Alive"  
 }  
 HTTP::version "1.0"  
 }  
 }     
 if { $http_uri starts_with "/pool_to_protect" } {  
 if { [AES::decrypt $::aeskey [b64decode [URI::decode [HTTP::cookie value $::cookiename]]]] eq $http_query } {  
 pool pool_protected   
 } } elseif { $http_uri starts_with "/default_pool"} {  
 pool pool_default   
 }  
 }  
 when HTTP_RESPONSE {  
 if { $collect_payload } {  
  Coletar Content_length ou setar em 1 MB  
 set clen [HTTP::header Content-Length]  
 if { not [info exists clen] or "" eq $clen } {  
 set clen 1000000  
 }  
 HTTP::collect $clen  
 }     
 }  
 when HTTP_RESPONSE_DATA {  
 if { $collect_payload } {  
 set chave [findstr [HTTP::payload] "key = " 7 "'"]  
 if {[string length $chave] > 1 } {   
 HTTP::cookie insert name $::cookiename value [URI::encode [b64encode [AES::encrypt $::aeskey $chave]]] path "/" domain "www.domain.com"   
 }  
 }    
 }

thanks for everyone for the help and tips.

Forum Discussion

encrypt/decrypt URI

11 Replies

Recent Discussions

Web acceleration

Content type hearder charset=UTF-8

snmp automatic stop mail send

Slow SSL handshake on "Performance(Layer 4)" VIP.

LDAPS and renegotiation

Related Content

encrypted cookie generation and decryption

set TOKEN [getfield [HTTP::uri]

SSL decryption/re-encryption w/iRule feeding into HTTPS load balance

Hide uri on client side

Regex for dynamic URI