Forum Discussion
Linda_01_162621
Nimbostratus
NimbostratusCannot access the internet using a default gateway virtual server
I am newbie, I am using a BIG-IP 2000 (11.6.0) version.
As a start, I want to create a simple network:
Client PC
10.0.0.1 255.255.255.0 GW: 10.0.0.254
*connected to int VLAN. i.e...
Update. After deleting everything and re-deploying the members were populated as expected. The question was edited above but for the record the config above had these two conflicting parameters before:
- --pool-member-type=nodeport - --log-as3-response=true - --pool-member-type=clusterI added the cluster option when troubleshooting something else earlier and forgot to remove it. Newbie mistake!
GavinW_29074Nimbostratus
NimbostratusAaron
As it happens, i've got it working a slightly different way.
Comments welcome on possible improvements though 🙂
Gav
Copy of my rule is:
when RULE_INIT {
set static::LogInvalidRespDebug 1
}
when HTTP_REQUEST priority 100 {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processin HTTP Request at Priority 100..." }
Bypass by default
set bypass 1
if { [HTTP::header exists "X-Requested-With"] } {
if {$static::LogInvalidRespDebug > 0} { log local0.info "X-Requested-With HTTP Header Present. Must be AJAX Request." }
return
} else {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Non AJAX Request. Processing further." }
Only looking for HTML Requests
if { [HTTP::header "Accept"] contains "text/html" } {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Accept Header contains 'text/html'. Recording." }
Prevent the server from sending a compressed response
remove the compression offerings from the client
HTTP::header remove "Accept-Encoding"
Don't allow response data to be chunked
if { [HTTP::version] eq "1.1" } {
Force downgrade to HTTP 1.0, but still allow keep-alive connections.
Since HTTP 1.1 is keep-alive by default, and 1.0 isn't,
we need make sure the headers reflect the keep-alive status.
Check if this is a keep alive connection
if { [HTTP::header is_keepalive] } {
Replace the connection header value with "Keep-Alive"
HTTP::header replace "Connection" "Keep-Alive"
}
Set server side request version to 1.0
This forces the server to respond without chunking
HTTP::version "1.0"
}
if {$static::LogInvalidRespDebug > 0} { log local0.info "Storing HTTP::request value" }
set req_data [HTTP::request]
if {$static::LogInvalidRespDebug > 0} { log local0.info "\$req_data = $req_data" }
Need to check the repsonse on this one.
set bypass 0
} else {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Non HTML request. Returning. " }
return
}
}
}
when HTTP_RESPONSE {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processing HTTP Response." }
if { $bypass } {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Bypassing this response" }
return
} else {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processing this response" }
Trigger collection for up to 1MB of data
if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
Log output.
set ir_hsl [HSL::open -proto UDP -pool splunk_ir]
HSL::send $ir_hsl "<190>|Checking HTTP Response Data\n"
}
}
when HTTP_RESPONSE_DATA {
if {$static::LogInvalidRespDebug > 0} { log local0.info "Processing HTTP Response data." }
if { $bypass } {
return
} else {
do stuff with the payload
set payload [HTTP::payload]
if { $payload contains "" } {
if {$static::LogInvalidRespDebug > 0} { log local0. "Payload contains tag." }
} else {
log local0.crit "Payload doesnt contain tag."
HSL::send $ir_hsl "<190>|$clientip requested $uri. Invalid response returned. Request data was: $req_data\n"
}
}
}
Roy_JeeHow can we disable HTTP HEAD method as per PCI compliance
- Jason_Adams
Employee
OPTIONS should be added to the switch statement:
The Linked DevCentral Article needs to be updated to include 'OPTIONS' HTTP Request Method.
when HTTP_REQUEST { selectively disable HTTP processing for specific request methods switch [HTTP::method] { "MOVE" - "COPY" - "LOCK" - "UNLOCK" - "OPTIONS" - "PROPFIND" - "PROPPATCH" - "MKCOL" { HTTP::disable } } } - Vladimir_Akhmarov
Cirrus
Using this iRule has one limitation for IIS servers acting as a WebDAV distribution point with SSL Offloading on BIG-IP enabled. When SSL Offloading on BIG-IP is enabled and client uses COPY/MOVE method there is a header with name "Destination" that starts with https (because client is connecting to WebDAV with SSL). IIS does not recognises that destination because servers are running as HTTP and expecting http appended string in "Destination" header
Here are my fixed iRule:
Works for TMOS 11.6.0+ https://support.f5.com/csp//article/K13285 Make this iRule to be called the last one because of the HTTP::disable priority 700 when CLIENT_ACCEPTED { Enable HTTP processing for all requests by default HTTP::enable } when HTTP_REQUEST { Selectively disable HTTP processing for specific request methods switch [HTTP::method] { "COPY" - "MOVE" { Replace Destination header with http if using SSL Offloading if { [HTTP::header Destination] starts_with "https" } { HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]] } HTTP::disable } "MKCOL" - "PROPPATCH" { HTTP::disable } } } - JRahm
Admin
Contributed by deb.
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
