相关链接:https://clouddocs.f5.com/api/irules/AES.html
https://identity.account.f5.com/app/f5networksprod_welcometodevcentral_1/exkjzcpvzl9XNStiq356/sso/saml?RelayState=%2Fs%2Farticles%2Fencrypting-cookies
https://bbs.pediy.com/thread-253884.htm #AES 算法说明
实现 cookie 加密 以及任何其他加密
when RULE_INIT { set ::key [AES::key 128] } when HTTP_RESPONSE { set decrypted [HTTP::cookie "MyCookie"] HTTP::cookie remove "MyCookie" set encrypted [b64encode [AES::encrypt $::key $decrypted]] HTTP::cookie insert name "MyCookie" value $encrypted } when HTTP_REQUEST { set encrypted [HTTP::cookie "MyCookie"] HTTP::cookie remove "MyCookie" set decrypted [AES::decrypt $::key [b64decode $encrypted]] HTTP::cookie insert name "MyCookie" value $decrypted }
或者:
when CLIENT_ACCEPTED { set cookiename "MyCookie" set encryption_passphrase "abcd1234" } when HTTP_RESPONSE { if { [HTTP::cookie exists $cookiename] } { HTTP::cookie encrypt $cookiename $encryption_passphrase } } when HTTP_REQUEST { if { [HTTP::cookie exists $cookiename] } { set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase] if { ($decrypted eq "") } { # Cookie wasn't encrypted, delete it HTTP::cookie remove $cookiename } } }
when CLIENT_ACCEPTED { # Define an AES encryption key. Valid key lengths are 128, 192, or 256 bits. # You can use a key generator, or create your own using only HEX characters. set aes_key "AES 128 63544a5e7178677b45366b41405f2dab" # Name of the cookie to encrypt/decrypt set cookie"myCookie" # Log debug messages to /var/log/ltm? 1=yes, 0=no. set cookie_encryption_debug 0 } when HTTP_RESPONSE { # Check if response contains an error cookie with a value if {[string length [HTTP::cookie value $cookie]] > 0}{ # Log the original error cookie value from the app if {$cookie_encryption_debug}{log local0. "Response from app contained our cookie: [HTTP::cookie value $cookie]"} # Encrypt the cookie value so the client can't change the value HTTP::cookie value $cookie [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]] # Log the encoded and encrypted error cookie value if {$cookie_encryption_debug}{log local0. "Encrypted error cookie to: [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]]"} } } when HTTP_REQUEST { # If the error cookie exists with any value, for any requested object, try to decrypt it if {[string length [HTTP::cookie value $cookie]]}{ if {$cookie_encryption_debug}{log local0. "Original error cookie value: [HTTP::cookie value $cookie]"} # URI decode the value (catching any errors that occur when trying to # decode the cookie value and save the output to cookie_uri_decoded) if {not ([catch {URI::decode [HTTP::cookie value $cookie]} cookie_uri_decoded])}{ # Log that the cookie was URI decoded if {$cookie_encryption_debug}{log local0. "$cookie_uri_decoded was set successfully"} # Decrypt the value if {not ([catch {AES::decrypt $aes_key $cookie_uri_decoded} cookie_decrypted])}{ # Log the decrypted cookie value if {$cookie_encryption_debug}{log local0. "$cookie_decrypted: $cookie_decrypted"} } else { # URI decoded value couldn't be decrypted. } } else { # Cookie value couldn't be URI decoded } } else { # Cookie wasn't present in the request } }