Login Banner

Question

Hello.I've been tasked to create a login banner that will pop up when an external user hits my LTM and goes to any of my virtual servers. It's supposed to consist of a short message explaining that use of the system constitutes consent to monitoring and should have one button (yes/ok etc.) and the small x in the corner that would allow them to cancel out of the pop up (ideally this should close their connection or send them to an errorpage.) I believe this is possible with an iRule, but I have no experience with TCL. I would greatly appreciate any suggestions and help that anyone has to offer. Thanks in advance.

hooleylist · Answer

Hi Javern, 
&nbsp;  
&nbsp; What protocol are you load balancing through LTM?  For HTTP, you could use a stream profile to inject Javascript which creates a popup in responses.  We've discussed this type of response content injection in a few recent posts: 
&nbsp;  
&nbsp; http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/1171990/afv/topic/Default.aspx 
&nbsp; http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/29379/afv/topic/Default.aspx 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;aff=5&amp;aft=1144860&amp;afv=topic&amp;afpgj=1 
&nbsp;  
&nbsp; Aaron

member_9894 · Answer

We are using HTTPS. I'll check out those threads, thank you. &nbsp;

reiss_79688 · Answer

Hello,&nbsp;&nbsp;I'm working with Member 9894 on this project.&nbsp;&nbsp;What we are attempting to accomplish is present our users with a banner that says 'you are accessing our servers; you consent to monitoring, blah blah blah' and have them click on the 'OK' button to access the content.&nbsp;&nbsp;Here's our basic setup...&nbsp;&nbsp;multiple VS accessed via https...using PKI/CAC for client authentication.&nbsp;using Big IP LTM v9.3.0&nbsp;&nbsp;We would like to have Big IP serve the 'banner' page prior to the users being authenticated for any of our VSs.&nbsp;&nbsp;I have attempted to use a 'HTTP::respond 200 content [subst $::html_data]'. I can get the page (basic html with embedded css) to be served but when clicking on the 'OK' button I'm not sure what happens at that point.&nbsp;&nbsp;Any help would be appreciated.&nbsp;&nbsp;I can post iRule scripting if needed; let me know.

hooleylist · Answer

It should be relatively simple to implement a Javascript injection in responses.  I think the trick is to figure out what code you want to inject and under which circumstances.  For example, if this was the HTML for your index page: 
&nbsp;  
&nbsp;

My test index page

This is the rest of the HTML in the body...

&nbsp;  
&nbsp; You could use a stream profile and STREAM::expression based iRule to replace &lt; body &gt; with &lt; body &gt; &lt; script &gt;alert('Click ok to access the page')&lt; /script &gt;: 
&nbsp;  
&nbsp;

My test index page

This is the rest of the HTML in the body...

&nbsp;  
&nbsp; If you wanted to serve a page instead of Javascript, you could use logic like has been done in the maintenance page Codeshare examples.  On any request (or any request to a login page), check for a cookie which the iRule sets upon clicking okay in a form.  If the cookie is not set, redirect the client to /tos.html or some other page which is served from the iRule.  On requests to that page, you send back the HTML for a banner page with an Accept button.  The form action could be the same URI with a query string parameter set like /tos.html?accept=1.  On requests to /tos.html?accept=1, you could redirect to the login page or the originally requested page and set a cookie indicating acceptable of the terms of service. 
&nbsp;  
&nbsp; Here are links to the maintenance page examples: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/LTMMaintenancePageGenerator.html 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/LTMMaintenancePage.html 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/Automatic_maintenance_page___Sorry_page_with_images.html 
&nbsp;  
&nbsp; Aaron

reiss_79688 · Answer

Thanks Aaron. Very good info.  I was heading down those lines, but how do I get the iRule to capture the button click on my html page delivered to the user?
Here is a snippet of what I have for the html on my tos.html page.  I Agree  
This just seems to bring me back to the tos.html page. 
Also, the only way that I can see (with my limited knowledge of the Big IP traffic flow sequence and when the events are called) to do it is to have the iRule set a variable or cookie in the same conditional statement as the HTTP::respond.  By doing this, though, the user won't actually have to click the 'I Agree' button to have the cookie or variable be set, instead, all they would have to do is visit the page.  I would much rather know that they clicked the 'I Agree' button.
Here is some of the iRule: when CLIENT_ACCEPTED {
set consent_monitor "NotAgree"
log local0. "CLIENT_ACCEPTED"
}
when HTTP_REQUEST {
 if { $consent_monitor == "NotAgree" } {
  log local0. "Client has not agreed to monitoring. Sending consent page..."
  set origUrl "[HTTP::host][HTTP::uri]"
  log local0. "original URL = $origUrl"
  HTTP::respond 200 content [subst $::html_data]
  
  set consent_monitor "Agree"
 }
}

Any thoughts?...clear as mudd? 
Reiss

Forum Discussion

Login Banner

8 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 login banner - GUI/CLI

Insufficient permissions BIG-IQ login error

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Bypass Azure Login Page by adding a login hint in the SAML Request

Reduce Login Friction with F5 Distributed Cloud Authentication Intelligence