Nimbostratus
CumulonimbusHi,
I created this to authenticate users with APM and allow with AFM:
On the APM VS, assign this irule:
when ACCESS_ACL_ALLOWED {
log local0. "requete de [IP::client_addr]"
switch [HTTP::path] {
"/status" {
limit to 1 connection per IP address
set value [table lookup -subtable IPAdmins [IP::client_addr]]
set lifetime [table lifetime -subtable IPAdmins -remaining [IP::client_addr]]
set lifetime_formated [clock format $lifetime -format {%H:%M:%S}]
if {$lifetime < 1} {ACCESS::respond 302 noserver Location "/disconnect"}
ACCESS::respond 200 content "
Authenticated
You are authenticated successfuly :
session time remaining : $lifetime_formated
Your client IP : [IP::client_addr]
Your autorization role : $value
" noserver
}
"/disconnect" {
table delete -subtable IPAdmins [IP::client_addr]
ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"
}
default {
table set -subtable IPAdmins [IP::client_addr] [ACCESS::session data get session.localdb.groups] 7200 43200
ACCESS::respond 302 noserver Location "/status"
}
}
}
On the routing VS, assign this irule
when CLIENT_ACCEPTED {
switch [table lookup -subtable IPAdmins [IP::client_addr]] {
"Group1" {virtual /Common/VS-GROUP1}
"Group2" {virtual /Common/VS-GROUP2}
"Group3" {virtual /Common/VS-GROUP3}
default {drop}
}
}
Each VS VS-GROUPX is a forwarding VS with dedicated AFM policy.
If you do not have AFM module, you can filter in the irule with Datagroup instead of assigning VS.