I have a virtual server and need to modify the traffic via an iRule Requirement: 1. Need to add authorization via static credential 2. Request comes in as POST , should go as POST from the F5, but server sees as GET from the F5 3. Redirect to redirect to another url via an iRule I have using the below but it is not working. when HTTP_REQUEST { set logindata [b64encode "usermane:password"] HTTP::header insert Authorization "Basic $logindata" HTTP::redirect "https://www.abc.com[HTTP::uri]" } '

Hi, The problem is when you oper your redirect you lost your post data that's the reason why. Could you explain why you redirect your Post request, (your irule seems correct) Regards

So to clarify, you need to change the client-side POST to a GET on the server-side, and inject some static credentials? Will the POST have payload? And if so, do you want to mirror that payload to the server? Will all requests be coming in as POSTs? An HTTP::redirect command sends a 302 HTTP redirect back to the client, so probably not what you want. Can you elaborate on the desired traffic flow?

Hi Kevin, Below are the answers to address your query Will the POST have payload? And if so, do you want to mirror that payload to the server? Yes, POST will have payload (an xml file) and we need to mirror this. . Will all requests be coming in as POSTs? Yes, all requests come as POST ..we need to include credentials and still pass the payload as HTTP POST itself . Can you elaborate on the desired traffic flow? . 1. Client sends a HTTP POST with xml payload to First External F5 (Internet facing) Here there is no pool, it redirects to another VIP on a second external F5, So on the 1st External F5e we use HTTP::redirect "https://www.abc.com[HTTP::uri]" Also we need to add static creds and the POST shall go as a POST (right mow server Sees it becomes a GET, which should not be the case) . 2. Second External F5 with VIP - From here it goes to an Internal F5 VIP which is Pool Member here 3. Internal F5 - pool member server 4. Server

Ah, I see. You're saying that the redirect changes the POST to a GET. This is an expected behavior when you send a 301 or 302 redirect to a browser. Not all clients support this, but the better option may be to send a 307 instead. See this: https://httpstatuses.com/307 You'd do this with an HTTP::respond instead: HTTP::respond 307 Location "http://foo"

iRule help for | DevCentral

17 Replies

Kevin_Stewart

Employee

Aug 31, 2018

That's fine. So,

when HTTP_REQUEST {
    if { ( [HTTP::url] equals "/a/b/c/d/e/v2" ) and ( [HTTP::method] equals "POST" ) } {
        set logindata [b64encode "username:password"]     
        HTTP::header insert Authorization "Basic $logindata"
        pool vip2_pool
    }
}

Aditya_Mehra
Cirrus
Aug 31, 2018
Hey Kevin,

Just tried the above suggestion, but for some reason the F5 does not keep the uri while forwarding to the pool.

Also i changed the [HTTP::url] to [HTTP::uri] -> is that fine?

Thanks, Aditya
Kevin_Stewart
Employee
Aug 31, 2018
Yes, minor type. It should be [HTTP::uri].

But on the other point, there's nothing in the iRule that would be changing the URI, and the VIP wouldn't touch it either.

Not sure if you're re-encrypting between the two BIG-IPs, but you may need to capture traffic between to see what's going on.

You can also set up logging on VIP2 to report the inbound URI.

when HTTP_REQUEST { log local0. "Incoming method: [HTTP::method]" log local0. "Incoming URI: [HTTP::uri]" foreach x [HTTP::header names] { log local0. "Incoming header ($x): [HTTP::header $x]" } }
Aditya_Mehra
Cirrus
Aug 31, 2018
Thanks Kevin,

I will try the option with VIP2 to insert the static credentials and also log it.

Will update here once that is done as it may require a few approvals.

As of now we are only redirecting traffic from External F5 1 to External F5 2 from https to https, and we have a client ssl and and the default 'serverssl' in place so no encryption is there.

So now flow will be:

Client --> External F5 1 (iRule redirection to VIP_A) --> External F5 2 VIP_A (iRule auth header and logging) here pool member as Internal F5 VIP_B --> Internal F5 VIP_B (pool as the final server) --> Server

Thanks,Aditya
Aditya_Mehra
Cirrus
Sep 07, 2018
Hi Kevin,

We could not make the changes on the second F5, but we are trying an alternative way.

So I had another query, if we do not offload the SSL on the F5, can we still add the authorization header and forward it to the back end server where the SSL terminates.

Thanks, Aditya
Kevin_Stewart
Employee
Sep 07, 2018
No. You cannot access layer 7 (HTTP) properties unless you decrypt the traffic.
Aditya_Mehra
Cirrus
Sep 08, 2018
Thanks Kevin.

Forum Discussion

iRule help for

17 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

iRULE regsub error

owa iapp assign irule

Irule Trigger two times

iRule assistance for subfolder redirect

IRule to select IRule doesn't work even if the condition triggers