David_R_Joslin
Feb 11, 2014Nimbostratus
Insert auth pool request transparently between every call to an application pool.
I have something working but I am not sure if there is a more efficient way. One requirement is that the criteria for determining if the request came from auth is not spoofable. That pretty much eliminated headers. I tried playing with sharedvar but could not make it work with the auth proxy. Given that this will execute with every call to our app, I want to be as efficient as possible.
Thanks!
iRule to insert a trip through the auth servers
before every request to the application.
Assumes that the auth servers forward every
successfully authorized request to the original url.
when HTTP_REQUEST {
capture the current pool
set AppPool [LB::server pool]
define the Auth server pool
set AuthPool "TEST_AUTH_80"
Set the current pool to the Auth Pool.
pool $AuthPool
capture the client IP in the format presented by the
[members -list [LB::server pool] command.
set clientIPPort "[IP::client_addr] 80"
If the client IP is in the Auth pool list, the request is being
forwarded from the Auth servers and should go to the Application pool.
Else send to the Auth Servers.
if { [members -list [LB::server pool] ] contains $clientIPPort } {
log local0. "client: $clientIPPort IN $AuthPool sending to $AuthPool"
pool $AppPool
} else {
log local0. "client: $clientIPPort NOT IN $AuthPool sending to $AuthPool"
pool $AuthPool
}
}