IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Raising Maintenance Page

    Posted Tue July 16, 2024 06:13 AM

    Hi All,

    I'm looking for an option raising a maintenance page under several conditions. Triggers are e.g. backend not available (while it's a Kubernetes installation I need checking some content as the ingres can be still available while the portal doesn't work), some manual trigger, parts of the system are not available which is announced with a monitoring page, etc. Also the page shall just be shown for internet users. My first idea was using a pop and a infomap. But maybe it's more easy using authrules, while I don't like the XML with that. Anyway the main problem I'm hitting is that IP-Auth doesn't seem to work as the load balancer in front obviously has same IP independent of the original sender. So question is can I use X-Forward-For or X-Real-IP with pop and what would be best way to implement?

    Thanks,

    Jens



    ------------------------------
    Jens Petersen
    ------------------------------


  • 2.  RE: Raising Maintenance Page

    Posted Tue July 16, 2024 04:50 PM

    Jens,

     

    I can think of two ways that you can use the X-Forward-For header in an authorization decision:

    1. In v10.0.7 we added additional stages to the Lua scripting rules (https://www.ibm.com/docs/en/sva/10.0.7?topic=transformation-stages).  One of these stages, pre-authzn, would allow you to implement the authorization decision using Lua rules.  An example is also provided: https://www.ibm.com/docs/en/sva/10.0.7?topic=scenarios-setting-authorization-decision.
    2. Use the 'client-ip-http-header' configuration entry to define the name of the HTTP header which contains the client IP address.  This will allow you to use the value of the X-Forward-For header in the POP. See: https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-client-ip-http-header.

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     




    Original Message


  • 3.  RE: Raising Maintenance Page

    Posted Wed July 17, 2024 07:41 AM

    Hi Scott,

    many thanks for all the hints. I'm starting with 2 and trigger with an external script using pdadmin setting the pop if needed. once it works I'll check the LUA. 

    Best,

    Jens



    ------------------------------
    Jens Petersen
    ------------------------------

    Original Message


Related Content