For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Adrien_Legros_1's avatar
Adrien_Legros_1
Icon for Altostratus rankAltostratus
Jul 07, 2009

Choosing WAF and SSL offload via Irules

Hello, here is what we are trying to perform:

 

 

We want that the internal request go to the ASM. So the BigIP VIP has an sslprofile, perform the ssl offload, goes in the Irule and is analysed by the ASM. This part of the Irule is working fine.

 

 

The other case doesn't work (1 case in the Irule). For the external requests, we want to go to a pool without analysing the traffic with the ASM and without performing the ssl offload. I think we also need to remove the http profile becaus we are on a https VIP. but requests doesn't succeed...

 

 

here is what Id'like to know:

 

 

- How can I disable the ASm in version 10.0

 

- How can I disable the http profile and the ssl offload ? The commands below do not work.

 

 

Thanks.

 

 

when CLIENT_ACCEPTED {

 

log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"

 

}

 

when HTTP_REQUEST {

 

set debug 1

 

if {not [matchclass [IP::client_addr] starts_with $::Testgroup]} {

 

log local0. "Client [IP::client_addr] DIRECT to old WAF without ASM and SLL offload"

 

SSL::disable

 

HTTP::disable

 

pool igw_site_ssl

 

event disable all

 

} else {

 

internall request that should go through the ASM [HTTP::uri] via ASM

 

log local0. "requete interne [HTTP::uri] via ASM"

 

if {[HTTP::uri] starts_with "/app3"}{

 

if {$debug}{log local0. "Request to [HTTP::uri]"}

 

pool igw_pool_app3

 

}

 

elseif {[HTTP::uri] starts_with "/APP1"}{

 

if {$debug}{log local0. "Request to [HTTP::uri]"}

 

pool igw_pool_app1

 

}

 

elseif {[HTTP::uri] starts_with "/APP2"}{

 

if {$debug}{log local0. "Request to [HTTP::uri]"}

 

pool igw_pool_app2

 

}

 

}

 

}
application delivery
dev
devops
iRules

6 Replies

  • Adrien_Legros_1's avatar
    Adrien_Legros_1
    Icon for Altostratus rankAltostratus
    Jul 07, 2009
    One thing a forgot to say: When I remove the httpclass from the VIP, everything works well. But in the first case, the ASM should be disabled, so I don't understant why the HTTPCLASS prevent the website to display
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 07, 2009
    Hi Adrien,

     

     

    In 10.0.1 (not 10.0.0) you can enable/disable ASM on a connection using ASM::enable / disable. See SOL10128 for details (Click here).

     

     

    You'll need to use SSL::disable and HTTP::disable in the CLIENT_ACCEPTED event once you've determined that the client IP address should not go to ASM. Once you do that, I don't think you actually need to disable ASM as the request won't be decrypted or parsed as HTTP.

     

     

    I haven't tried this yet on 10.0.1 though, so can you try this and reply with the result?

     

     

    Thanks,

     

    Aaron
  • Adrien_Legros_1's avatar
    Adrien_Legros_1
    Icon for Altostratus rankAltostratus
    Jul 07, 2009
    Thanks for your answer, so if I understand:

     

     

    In the Client accepted event, I should perform the test to know if the client is internal or not. If not, I should only disable http and ssl. The ASM will not intercept the trafic because of the http profile disabled?

     

     

    You speak about version 10.0.1 so there is no way to disable ASM via Irule in version 10.0 ?

     

     

    I'll try this and post the result.

     

    Thanks.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 07, 2009
    My reading of SOL10128 is that there isn't a way to disable ASM for a connection using PLUGIN::asm disable or ASM::disable in 10.0.0. It would be a good idea to upgrade to 10.0.1 regardless. I suppose you could push F5 to provide a hotfix for this issue in 10.0.0, but upgrading would probably be faster for you.

     

     

    Aaron
  • Adrien_Legros_1's avatar
    Adrien_Legros_1
    Icon for Altostratus rankAltostratus
    Jul 07, 2009
    Unfortunately, even after some Irule changes, it still doesn't work. Here is what I've done:

     

    When I arrive with an external IP, I entered in the IF (event client accepted) but the request doesn't go to the default pool. The same when I place the command pool pool_external in the event.

     

     

    Someone has Another idea?

     

     

    Thanks a lot.

     

     

    when CLIENT_ACCEPTED {

     

    log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"

     

    if {not [matchclass [IP::client_addr] starts_with $::internal]} {

     

    log local0. "Client externe qui a l IP [IP::client_addr] DIRECT vers Teros"

     

    HTTP::disable

     

    SSL::disable

     

    }

     

    }

     

     

    when HTTP_REQUEST {

     

    if {not [matchclass [IP::client_addr] starts_with $::nbbonly]} {

     

    log local0. "HTTPrequest Client externe qui a l IP [IP::client_addr] DIRECT vers Teros"

     

    pool pool_pub_viaTeros

     

    event disable all

     

    } else {

     

    requete client interne [HTTP::uri] via ASM

     

    log local0. "requete interne [HTTP::uri] via ASM"

     

    HTTP::header insert nbbclientip [IP::client_addr]

     

    ......
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 07, 2009
    In a quick test on 10.0.1, the connection hung until adding ASM::disable to CLIENT_ACCEPTED. I'm guessing you'll need to upgrade to get this to work.

     

     

    Aaron