Forum Discussion

Adrien_Legros_1's avatar
Icon for Altostratus rankAltostratus
Feb 07, 2011

TCL error with local variable

Hi, I have a problem with the following Irule. Here are some explanations about the flow:



1) The client sends a request that must be authenticated. He will be redirected to an url on the same VIP with a different URI (/loginproxy/...). To keep the initial url, we save it in the variable ROAD (case 3).


2) On this server, the client will receive a cookie to proove ha has been authenticated. Now He must be redirected to the initial url that was saved in the variable ROAD. This redirection is based on the content of the header ROAD.


3) The client goes to the initial URL.



The problem is:



when I use global variable for ROAD, sometimes, 2 differents clients that goes to 2 differents URLs are exchanging the initial url, due to the global variable.


When I use local variabla (as now), I receive a TCP error saying that ROAD is not known when inserting in the headers (case 3).



How can I correct it or keep the initial url value?



Thanks for your help.




when RULE_INIT {


set road "vide"


set target "vide"






log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"






Debug variable. 0=Debug disabled, 1=Debug Enabled


set debug 1


set cert [SSL::cert 0]


Modify this to change the Application name sended to the error pages


set app_name "App1"


If no client certificate is reveived, the client is redirected to the error page


if {$cert eq ""} {


if {$debug == 1} {


log "no cert"}


HTTP::redirect "$app_name&subject=None&issuer=None&validFrom=None&validTo=None" }


else {


When we receive a certificate


set result [SSL::verify_result]


set sujet [X509::subject $cert]


set issuer [X509::issuer $cert]


set serial [X509::serial_number $cert]


set debut [X509::not_valid_before $cert]


set fin [X509::not_valid_after $cert]


We first verify the validity. if the result is different than 0, we redirect the client to the error page


if {$result > 0} {


if {$debug ==1} { log "verify error - result = $result"}


HTTP::redirect "$result&appName=$app_name&subject=$sujet&issuer=$issuer&validFrom=$debut&validTo=$fin" }


else {


Then we verify the Issuer. If it not a trusted issuer listed in the DATA GROUP trusted_issuers, we redirect to the error page


if {not [class match $issuer contains trusted_issuers]} {


if {$debug == 1} {


log "not a trusted issuer - $issuer"}


HTTP::redirect "$result&appName=$app_name&subject=Wrong_Issuer&issuer=$issuer&validFrom=$debut&validTo=$fin"




else {


if {$debug == 1} {


log "trusted issuer" log "Insert Certificate into the headers" }


Everything is fine, we can insert the certificate info in the headers


HTTP::header insert x-nbbcertsubject [X509::subject $cert]


HTTP::header insert x-nbbcertissuer [X509::issuer $cert]


HTTP::header insert x-nbbcertserial [X509::serial_number $cert]


HTTP::header insert x-nbbclientip [IP::client_addr]


Loadbalancing and pool selection based on the URI.


CASE 1 if {([HTTP::uri] starts_with "/soap/mfi")}{


if {$debug eq 1}{log local0. "1 Direct Request to [HTTP::uri]"}


HTTP::uri "/mifidws[HTTP::uri]"


set road "[HTTP::host][HTTP::uri]"


set target "MIFIDWS"


pool SecureProxy




elseif {([HTTP::uri] starts_with "/MIFID/invoke") or ([HTTP::uri] starts_with "/mifid/invoke")}{


CASE 2 if {$debug eq 1}{


log local0. "2 Direct Request to [HTTP::uri]"}


HTTP::uri "/mifidb2b[HTTP::uri]"


set road "[HTTP::host][HTTP::uri]"


set target "MIFIDB2B"


pool SecureProxy




elseif {([HTTP::uri] starts_with "/loginproxy") }{


CASE 3 if {$debug eq 1}{log local0. "3 Direct Request to [HTTP::uri]"}


HTTP::header insert target $road


HTTP::header insert x-targetapp $target


pool SecureProxy }


else {


if {$debug eq 1}{log local0. "4. Normal Request to [HTTP::uri]"} HTTP::redirect "" } } } } }

2 Replies

  • Any variable set in RULE_INIT will be global (and will demote the virtual server from using all cores available). You're using the road and target variables in the HTTP_REQUEST event. You could eliminate the intermediate variables and just reference the actual commands.



  • Thanks Aaron for your answer but I do not understand how I could not use the variables as I need to keep the first url used by the client to modify the uri after the redirection. For example:



    Request 1 is:


    Our server redirect the user to (but I need to keep the first url in the headers as the backend will use it to write the next redirection.


    Request 2: The client goes to a cookie is done and the server perform another redirection to the URL written in the header (target = $$road)


    Request 3: the user go to the first url with the authentication information.



    Problem is, with my irule, when the client goes to /loginproxy, when I insert the content of the variable in the header, variable seems not to exist. I can not use directly HTTP::uri is it no more the first url requested.