Posted in : NetScaler Av Simon Gottschlag Översätt med Google ⟶
7 years ago
I have a scenario where I need to use AAA / Unified Gateway to authenticate users, but would like to pass-through valid tokens directly to the API without using AAA – if the token is valid.
My solution was to create a callout in NetScaler to validate the token, and if valid allow access through to the backend. This may also be used in other cases like providing cached API responses from NetScaler.
# Create the callout policy, in my case I'm using the internal load balancer for the API where I'm not using AAA # The endpoint /api/netscaler/tokenvalidation will return status code 200 if the authorization is valid add policy httpCallout CALLOUT_WEBAPP_API_BEARER -vServer LB-INT_WEBAPP_API -returnType NUM -hostExpr "HTTP.REQ.HEADER(\"Host\")" -urlStemExpr "\"/api/netscaler/tokenvalidation\"" -headers Authorization(HTTP.REQ.HEADER("Authorization")) -scheme http -resultExpr HTTP.RES.STATUS -cacheForSecs 3600 # Create a new load balancer where AAA is disabled add lb vserver LB-WEBAPP_API_NOAUTH SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 30 -persistMask 255.255.255.255 -cltTimeout 180 bind ssl vserver LB-WEBAPP_API_NOAUTH -certkeyName wildcard-cert bind lb vserver LB-WEBAPP_API_NOAUTH SVC-WEBAPP01_HTTP bind lb vserver LB-WEBAPP_API_NOAUTH SVC-WEBAPP02_HTTP # Create new content switching actions, policies and policy labels add cs action CSA-LB-WEBAPP_API_NOAUTH -targetLBVserver LB-WEBAPP_API_NOAUTH # Using HTTP.REQ.USER.NAME.EQ(0) to validate that the user isn't authenticated # Using SYS.HTTP_CALLOUT(CALLOUT_WEBAPP_API_BEARER).EQ(200) to validate if the token is valid or not add cs policy CSP-WEBAPP-API_NOAUTH-NOOP -rule "EXP_ADV_HOSTHEADER_WEBAPP && HTTP.REQ.URL.PATH.SET_TMODE(IGNORECASE).STARTSWITH(\"/api/\") && HTTP.REQ.USER.SESSIONID.LENGTH.EQ(0)" add cs policy CSP-WEBAPP-API_NOAUTH -rule "EXP_ADV_HOSTHEADER_WEBAPP && HTTP.REQ.URL.PATH.SET_TMODE(IGNORECASE).STARTSWITH(\"/api/\") && HTTP.REQ.USER.SESSIONID.LENGTH.EQ(0) && SYS.HTTP_CALLOUT(CALLOUT_WEBAPP_API_BEARER).EQ(200)" -action CSA-LB-WEBAPP_API_NOAUTH add cs policylabel CSPL-WEBAPP_API_NOAUTH SSL bind cs policylabel CSPL-WEBAPP_API_NOAUTH CSP-WEBAPP-API_NOAUTH 100 bind cs policylabel CSPL-WEBAPP_API_NOAUTH CSP-WEBAPP-API 110 # This one was already being used in the "normal" content switching bind cs vserver <CS vServer> -policyName CSP-WEBAPP-API_NOAUTH-NOOP -priority 99 -invoke policylabel CSPL-WEBAPP_API_NOAUTH bind cs vserver <CS vServer> -policyName CSP-WEBAPP-NOOP -priority 100 -invoke policylabel CSPL-WEBAPP # This one was already bound
It works like a charm! If you have any feedback or questions, feel free to leave a comment.
Tags :
Personlig rådgivning
Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.
Add comment