Forum Discussion

sanjai_126162's avatar
sanjai_126162
Icon for Nimbostratus rankNimbostratus
Aug 22, 2016

irule to strip the uri after apm completion it has to include the lengthy uri

iRule that will capture the HTTP URI if it is larger than 1098 bytes, then strip the HTTP URI from the HTTP request that is sent to the APM. Once the Access Policy evaluation is completed and the BIG-IP is about to forward the Client's HTTP request on to the application server, the iRule will need to inject the long URI back into the HTTP request that is transmitted to the application server

 

So you please share the possible irule to get this done

 

6 Replies

  • Hi,

     

    can you explain what do you want to do exactly?

     

    The default behavior is:

     

    • the browser send a request to https://f5.company.com/path/
    • the apm create a new session and redirect user to /my.policy and /path/ is stored in variable session.server.landinguri
    • the user authenticate according to access policy
    • if the user authenticate successfully, the user is redirected to /path/ (stored in variable session.server.landinguri)

    Did you have issues with landinguri longer than 1098?

     

  • I don't understand what is the difference between the default behavior and your expected behavior...

     

    as explained previously, the default behavior is:

     

    • the browser send a request to https://f5.company.com/path/
    • the apm create a new session and redirect user to /my.policy and /path/ is stored in variable session.server.landinguri
    • the user authenticate according to access policy
    • if the user authenticate successfully, the user is redirected to /path/ (stored in variable session.server.landinguri)

    Your expected behavior is:

     

    • the browser send a request to https://f5.company.com/path/ if the uri length is equal or more than 1098, store it and strip it before send it to APM --> new uri is /fakepath/
    • the apm create a new session and redirect user to /my.policy and /fakepath/ is stored in variable session.server.landinguri
    • the user authenticate according to access policy
    • if the user authenticate successfully, the user is redirected to /fakepath/ (stored in variable session.server.landinguri)
    • if uri was previously store by the irule, replace the uri /fakepath/ by the stored one /path/

    I ask you why because the best events to do it are ACCESS_SESSION_STARTED and ACCESS_POLICY_COMPLETED or ACCESS_ACL_ALLOWED,which are APM events.

     

    So, if you want help, explain step by step what you are expecting?

     

  • my expectation is the browser send a request to https://f5.company.com/path/ if the uri length is equal or more than 4096 [1098 just mentioned as number exact value is 4096], store it and strip it before send it to APM --> new uri is /fakepath/ the apm create a new session and redirect user to /my.policy and /fakepath/ is stored in variable session.server.landinguri the user authenticate according to access policy if the user authenticate successfully, the user is redirected to /fakepath/ (stored in variable session.server.landinguri) if uri was previously store by the irule, replace the uri /fakepath/ by the stored one /path/

     

    F5 allows only 4096 bytes [RFE ID 421616]and apm is blocking the request if its crossing 4096 bytes so we want to strip before request goes to the APM validation and later place path exactly.

     

    sorry for mentioning the value as 1098 bytes

     

  • Hi,

    you can try this irule (not tested):

    when HTTP_REQUEST {
        if {![HTTP::cookie exists "MRHSession"] && [string length [HTTP::uri]] >=4096} {
            binary scan [sha1 [HTTP::uri]] H* output
            table add -subtable APMURI $output [HTTP::uri] 600
            HTTP::uri "/encodeduri/$output"
        }
    }
    
    
    when ACCESS_POLICY_COMPLETED {
        if { ([ACCESS::policy result] equals "allow")} {
            set landinguri [ACCESS::session data get "session.server.landinguri"]
            if  {$landinguri starts_with "/encodeduri/"} {
                set encodeduri [string map { "/encodeduri/" ""} $landinguri]
                ACCESS::respond 302 Location [table lookup -notouch -subtable APMURI $encodeduri] Connection close
            }
        } 
    }
    
  • Hi Sanjai,

    to bypass the URI length limitations of APM, you have to use a Virtual-to-Virtual setup and then copy/restore the long URI into/from a custom HTTP header. Unfortunately this needs to be done on every single web request and not just during APM policy processing.

    EXTERNAL_VIRTUAL

    when HTTP_REQUEST {
        if { [string length [HTTP::uri]] >  4095 } then {
            HTTP::header insert "LONG_HTTP_URI" [HTTP::uri]
            HTTP::uri "/long_http_uri"
            virtual LONG_URI_VIRTUAL
        } else {
            pool site.domain.net
        }
    }
    when ACCESS_SESSION_STARTED {
        if { [HTTP::header value "LONG_HTTP_URI"] ne "" } then {
            ACCESS::session data set "session.server.landinguri" [HTTP::header value "LONG_HTTP_URI"]   
        }
    }
    

    Note: You can store long URI into the landinguri session variable. Its just the APM HUD filter that need to become tricked out...

    LONG_URI_VIRTUAL

    when HTTP_REQUEST {
        if { [HTTP::header value "LONG_HTTP_URI"] ne "" } then {
            HTTP::uri [HTTP::header value "HTTP_URI"]
            HTTP::header remove "HTTP_URI"
        }
        pool site.domain.net
    }
    

    Cheers, Kai

  • Hi,

    I have the same issue for one customer.

    I wrote this irule and it seems to work as expected:

    when HTTP_REQUEST {
        if {[HTTP::cookie exists "MRHSession"] && [string length [HTTP::uri]] >=1024} {
            set uri [HTTP::uri]
            HTTP::uri "/fakeuri/"
        }
    }
    
    when HTTP_REQUEST_RELEASE {
        if {[info exists uri]} {HTTP::uri $uri; unset uri}
    }