Forum Discussion

am_gli_287451's avatar
am_gli_287451
Icon for Nimbostratus rankNimbostratus
Apr 20, 2017

APM: Strip off path from Landing URI

Hi,

Currently I'm working on an APM-Policy and I'm facing an issue with a temporary URI.

Scenario: I want to implement different Sign-On-Methods and an error-fallback for a failed login.

So the idea is to have a landing-URI, with branches for /ad , /google and a fallback to an error-login-page with /error.

If I connect to test.com/ad - the Logon-Page for AD-Authentication should appear (username/pw). If I connect to test.com/google - Logon-Page for 2-Factor should appear (username/pw/googleauthcode). If I enter the wrong code, I should be redirected to test.com/error and get another 2F-logon page with a customized text (wrong code) and again the 3 fields for authentication.

Now, if I use the default "Allow"-Ending in the policy editor, the URL that is forwarded to the webserver is test.com/ad, which causes a 404 error. So the best thing would be to strip off the path after the landing page. I tried to achieve this with an iRule-event, but it doesn't work as expected.

Here's my Policy and the iRule :

when ACCESS_POLICY_AGENT_EVENT {
 if { [ACCESS::policy agent_id] eq "strip_off_path" } {
   if { [string tolower [HTTP::uri]] starts_with "/ad" } { 
     HTTP::uri "/" 
   } elseif { [string tolower [HTTP::uri]] starts_with "/error" } {
         HTTP::uri "/" 
   } else { 
   }
  }
}

Any ideas? Is it possible to strip off the HTTP::uri with an alternative ending in the policy itself (without iRule)? If I use a redirect-ending to "https://%{session.server.network.name}" I get back to the 2F-Logon-Page again (Landing URI fallback)

Thanks & BR

2 Replies

  • The iRule you have should work.

     

    Can you put some logs in the iRule and check what happens? We want to check if the iRule is triggered, also the URI before and after the change.

     

    Also, I would suggest you to use the HTTP::path, as that is a subset of the URI, so smaller and consequently more efficient. Anyway, they idea continue to be the same.

     

    https://devcentral.f5.com/wiki/irules.http__path.ashx

     

  • Hi,

    HTTP::uri and HTTP::path doesn't work in Policy evaluation (except if in clientless mode). during policy evaluation, uri is always /my.policy.

    if you want to evaluate landing uri (URI the user entered before redirecting to /my.policy), you can work with this irule:

     

    when ACCESS_SESSION_STARTED {
        switch -glob -- [set landinguri [ACCESS::session data get session.server.landinguri]] {
            "/ad/*" {
                log local0. "Path before iRule: $landinguri"
                set newlandinguri [string map -nocase {"/ad/" "/"} $landinguri]
                ACCESS::session data set session.server.landinguri $newlandinguri
                log local0. "Path after iRule: $newlandinguri"
                log local0. "Logon type iRule: ad"
                ACCESS::session data set session.custom.logontype "ad"
            }
            "/error/*" {
                log local0. "Path before iRule: $landinguri"
                set newlandinguri [string map -nocase {"/error/" "/"} $landinguri]
                ACCESS::session data set session.server.landinguri $newlandinguri
                log local0. "Path after iRule: $newlandinguri"
                log local0. "Logon type iRule: error"
                ACCESS::session data set session.custom.logontype "error"
            }
        }
    }
    

     

    this irule raise before VPE evaluation and you can then replace landinguri box with a box using branches:

     

    ad : expr {[mcget {session.custom.logontype}] equals "ad"}
    
    error : expr {[mcget {session.custom.logontype}] equals "error"}
    

     

    if you want to rewrite all requests starting with /ad/ and /error/, you can use this irule (raise after HTTP_REQUEST and for all requests allowed by APM, you can use this irule:

     

    when ACCESS_ACL_ALLOWED {
    
        switch -glob -- [set uri [HTTP::uri]] {
            "/ad/*" {
                log local0. "Path before iRule: $uri"
                set newuri [string map -nocase {"/ad/" "/"} $uri]
                HTTP::uri $newuri
                log local0. "Path after iRule: $newuri"
            }
            "/error/*" {
                log local0. "Path before iRule: $uri"
                set newuri [string map -nocase {"/error/" "/"} $uri]
                HTTP::uri $newuri
                log local0. "Path after iRule: $newuri"
            }
        }
    }