Forum Discussion
Big-IP ASM and websockets
I'm trying to let websockets (ws://) connections run through ASM, the backend application is based on socket.io/nodejs.
It seems that connections are falling back to xhr-polling which means that websocket couldn't initialize a connection properly.
Does anybody have experience with websockets on ASM?
Regards,
Jo
- hooleylistCirrostratusHi Jo,
- JorjjjNimbostratus
Hello, Have you find any solution for this?
I am facing the same Issue!
Web Socket application works well over LTM, but does not work when ASM Security Policy is assigned on the virtual Server
Thanks Regards, Georges
- Hannes_RappNimbostratus
(removed)
- Hannes_RappNimbostratus
Please disregard my previous post. Answer-editing is extremely buggy in DevCentral. I've written an iRule for disabling ASM & HTTP on websocket request. Please give it a try.
when HTTP_REQUEST { if { [string tolower [HTTP::header value Upgrade]] equals "websocket" } { HTTP::disable ASM::disable log local0. "[IP::client_addr] - Connection upgraded to websocket protocol. Disabling ASM-checks and HTTP protocol. Traffic is treated as L4 TCP stream." } else { HTTP::enable ASM::enable log local0. "[IP::client_addr] - Regular HTTP request. ASM-checks and HTTP protocol enabled. Traffic is deep-inspected at L7." } }
- JorjjjNimbostratusHello, The iRule Worked well! Thanks
- Hannes_Rapp_162Nacreous
Please disregard my previous post. Answer-editing is extremely buggy in DevCentral. I've written an iRule for disabling ASM & HTTP on websocket request. Please give it a try.
when HTTP_REQUEST { if { [string tolower [HTTP::header value Upgrade]] equals "websocket" } { HTTP::disable ASM::disable log local0. "[IP::client_addr] - Connection upgraded to websocket protocol. Disabling ASM-checks and HTTP protocol. Traffic is treated as L4 TCP stream." } else { HTTP::enable ASM::enable log local0. "[IP::client_addr] - Regular HTTP request. ASM-checks and HTTP protocol enabled. Traffic is deep-inspected at L7." } }
- JorjjjNimbostratusHello, The iRule Worked well! Thanks
- JorjjjNimbostratus
thanks for the tip,
I will give it a try tomorrow, as this is a DEMO @ a customer and will advise back.
Regards, Georges
- Jorjjj_118094Nimbostratus
Hello There
When i am adding this iRule, i cannot save it as there seems some typo error
I get the following error: "01070151:3: Rule [/Common/Disable_ASM_on_WebSocket] error: /Common/Disable_ASM_on_WebSocket:6: error: [wrong args][ASM::enable]"
can you please advise what to change to fix this error?
Regards Georges
- Hannes_RappNimbostratusIf you're using 11.4 or later, also pass on the policy argument. "ASM::enable MySecurityPolicyName". Once you've tested and verified it, comment out, or remove the "log local0." statements to improve performance. Regards.
- JorjjjNimbostratus
Hello There
When i am adding this iRule, i cannot save it as there seems some typo error
I get the following error: "01070151:3: Rule [/Common/Disable_ASM_on_WebSocket] error: /Common/Disable_ASM_on_WebSocket:6: error: [wrong args][ASM::enable]"
can you please advise what to change to fix this error?
Regards Georges
- Hannes_RappNimbostratusIf you're using 11.4 or later, also pass on the policy argument. "ASM::enable MySecurityPolicyName". Once you've tested and verified it, comment out, or remove the "log local0." statements to improve performance. Regards.
- nitassEmployee
I get the following error: "01070151:3: Rule [/Common/Disable_ASM_on_WebSocket] error: /Common/Disable_ASM_on_WebSocket:6: error: [wrong args][ASM::enable]"
can you try to include policy name?
Beginning in v11.4, the policy is a required argument.
ASM::enable
https://devcentral.f5.com/wiki/iRules.ASM__enable.ashx - JorjjjNimbostratus
Hello I was able to save it properly I will test it tomorrow with the client, and will make sure if the application works out well.
Thanks a lot, Regards, georges
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com