Forum Discussion
Jo_97199
Nimbostratus
NimbostratusBig-IP ASM and websockets
Hi,
I'm trying to let websockets (ws://) connections run through ASM, the backend application is based on socket.io/nodejs.
It seems that connections are falling back to xhr-polling which means that websocket couldn't initialize a connection properly.
Does anybody have experience with websockets on ASM?
Regards,
Jo
hooleylistCirrostratus
Hi Jo,
I don't think ASM can do much with web sockets.
Aaron
JorjjjHello, Have you find any solution for this?
I am facing the same Issue!
Web Socket application works well over LTM, but does not work when ASM Security Policy is assigned on the virtual Server
Thanks Regards, Georges
Hannes_Rapp(removed)
- Hannes_Rapp
Please disregard my previous post. Answer-editing is extremely buggy in DevCentral. I've written an iRule for disabling ASM & HTTP on websocket request. Please give it a try.
when HTTP_REQUEST { if { [string tolower [HTTP::header value Upgrade]] equals "websocket" } { HTTP::disable ASM::disable log local0. "[IP::client_addr] - Connection upgraded to websocket protocol. Disabling ASM-checks and HTTP protocol. Traffic is treated as L4 TCP stream." } else { HTTP::enable ASM::enable log local0. "[IP::client_addr] - Regular HTTP request. ASM-checks and HTTP protocol enabled. Traffic is deep-inspected at L7." } }- JorjjjHello, The iRule Worked well! Thanks
Hannes_Rapp_162Nacreous
Please disregard my previous post. Answer-editing is extremely buggy in DevCentral. I've written an iRule for disabling ASM & HTTP on websocket request. Please give it a try.
when HTTP_REQUEST { if { [string tolower [HTTP::header value Upgrade]] equals "websocket" } { HTTP::disable ASM::disable log local0. "[IP::client_addr] - Connection upgraded to websocket protocol. Disabling ASM-checks and HTTP protocol. Traffic is treated as L4 TCP stream." } else { HTTP::enable ASM::enable log local0. "[IP::client_addr] - Regular HTTP request. ASM-checks and HTTP protocol enabled. Traffic is deep-inspected at L7." } }- JorjjjHello, The iRule Worked well! Thanks
- Jorjjj
thanks for the tip,
I will give it a try tomorrow, as this is a DEMO @ a customer and will advise back.
Regards, Georges
- Jorjjj_118094
Hello There
When i am adding this iRule, i cannot save it as there seems some typo error
I get the following error: "01070151:3: Rule [/Common/Disable_ASM_on_WebSocket] error: /Common/Disable_ASM_on_WebSocket:6: error: [wrong args][ASM::enable]"
can you please advise what to change to fix this error?
Regards Georges
- Hannes_RappIf you're using 11.4 or later, also pass on the policy argument. "ASM::enable MySecurityPolicyName". Once you've tested and verified it, comment out, or remove the "log local0." statements to improve performance. Regards.
- Jorjjj
Hello There
When i am adding this iRule, i cannot save it as there seems some typo error
I get the following error: "01070151:3: Rule [/Common/Disable_ASM_on_WebSocket] error: /Common/Disable_ASM_on_WebSocket:6: error: [wrong args][ASM::enable]"
can you please advise what to change to fix this error?
Regards Georges
- Hannes_RappIf you're using 11.4 or later, also pass on the policy argument. "ASM::enable MySecurityPolicyName". Once you've tested and verified it, comment out, or remove the "log local0." statements to improve performance. Regards.
- nitass
Employee
I get the following error: "01070151:3: Rule [/Common/Disable_ASM_on_WebSocket] error: /Common/Disable_ASM_on_WebSocket:6: error: [wrong args][ASM::enable]"
can you try to include policy name?
Beginning in v11.4, the policy is a required argument.ASM::enable
https://devcentral.f5.com/wiki/iRules.ASM__enable.ashx - Jorjjj
Hello I was able to save it properly I will test it tomorrow with the client, and will make sure if the application works out well.
Thanks a lot, Regards, georges