iRule doesn't work after upgrade :(

Hi david,

 

 

Are you aware of the HTTP 401 agent within APM? You can use this instead of iRules to issue a HTTP 401 with WWW-Authenticate Basic (and/or Negotiate, but not relevant to what you are doing). This option was introduced in v11.0.0.

 

I don't see anything that obviously changed in 11.1 that should be causing problems for you. Time to start adding some log statements in different sections of the rule to see where things are actually failing. If there are no errors being dumped to the log, you need to start tracking down which parts are not successfully executing on the connections that are being dropped.

 

 

Colin

It possible that some ACCESS commands do not work in HTTP events like they used to. Use this irule, it should work in both versions:

 

 

when RULE_INIT {

 

set static::ACCESS_APM_LOG_PREFIX "01490000:3:"

 

set static::HttpRealm ""

 

}

 

 

 

when HTTP_REQUEST {

 

 

 

 

set http_hdr_auth [HTTP::header Authorization]

 

if { [ string first Basic $http_hdr_auth ] == -1 } {

 

log -noname accesscontrol.local1.debug "$static::ACCESS_APM_LOG_PREFIX Not basic authentication. Ignore received auth header"

 

set http_hdr_auth ""

 

}

 

 

if { $http_hdr_auth == "" } {

 

log -noname accesscontrol.local1.debug "$static::ACCESS_APM_LOG_PREFIX No/Empty Auth header"

 

 

HTTP::respond 401 content $static::actsync_401_http_body WWW-Authenticate "Basic realm=\"$static::HttpRealm\"" Connection Close

 

return

 

}

 

 

set username [HTTP::username]

 

set password [HTTP::password]

 

 

}

 

 

 

when ACCESS_SESSION_STARTED {

 

if { [ info exists username ] } {

 

ACCESS::session data set session.logon.last.username $username

 

ACCESS::session data set session.logon.last.password $password

 

}

 

}

double post ...

Hi,

 

 

Milk_man, i can't use the HTTP 401 agent within APM because some client don't support the redirection to /my.policy that APM need to authenticate.

 

 

however, i rewrite the HTTP_REQUEST layer and it's work now in v11.1 :D

 

 

Look my new irule :

 

 

when HTTP_REQUEST {

 

if { [ACCESS::policy result] eq "deny" } {

 

 

HTTP::header insert "clientless-mode" 1

 

 

set username [HTTP::username]

 

set password [HTTP::password]

 

 

HTTP::cookie remove LastMRH_Session

 

HTTP::cookie remove MRHSession

 

 

HTTP::header remove Authorization

 

 

} elseif { [ACCESS::policy result] ne "allow" } {

 

 

HTTP::header insert "clientless-mode" 1

 

 

if { [HTTP::header Authorization] eq "" } {

 

HTTP::respond 401 WWW-Authenticate Basic realm=\"Unspecified\" Connection close

 

return

 

} else {

 

set username [HTTP::username]

 

set password [HTTP::password]

 

 

HTTP::header remove Authorization

 

}

 

}

 

}

 

 

when ACCESS_POLICY_AGENT_EVENT {

 

 

if { [ACCESS::policy agent_id] eq "no_redirect" } {

 

 

if { [info exists username] } {

 

 

ACCESS::session data set session.logon.last.username $username

 

 

ACCESS::session data set session.logon.last.password $password

 

 

}

 

 

}

 

 

}

 

 

 

 

 

when ACCESS_POLICY_COMPLETED {

 

 

if { [ACCESS::session data get session.ldap.last.authresult] eq "0" } {

 

 

ACCESS::respond 401 content "Error: Failure in Authentication" Connection close

 

 

return

 

 

}

 

 

 

thank all