Hi,
I had a similar need for a customer, but with explicit authentication. the user role is stored in a table.
The user must authenticate to APM on a dedicated VS with the following irule:
when ACCESS_ACL_ALLOWED {
log local0. "requete de [IP::client_addr]"
switch [HTTP::path] {
"/status" {
set value [table lookup -subtable IPAdmins [IP::client_addr]]
set lifetime [table lifetime -subtable IPAdmins -remaining [IP::client_addr]]
if {$lifetime < 1} {ACCESS::respond 302 noserver Location "/disconnect"}
ACCESS::respond 200 content "
Authenticated
You are authenticated successfuly :
session time remaining : [clock format $lifetime -format {%H:%M:%S}]
Your client IP : [IP::client_addr]
Your autorization role : $value
" noserver
}
"/disconnect" {
table delete -subtable IPAdmins [IP::client_addr]
ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"
}
default {
table set -subtable IPAdmins [IP::client_addr] [ACCESS::session data get session.localdb.groups] 7200 43200
ACCESS::respond 302 noserver Location "/status"
}
}
}
Then, when trying to access protected resources, the AFM rule allow traffic with following irule (one per user role)
when CLIENT_ACCEPTED {
switch [table lookup -subtable IPAdmins [IP::client_addr]] {
"Admins" {}
"Deploy" {drop}
"Exploit" {drop}
"Infra" {drop}
default {drop}
}
}