For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LmenD's avatar
LmenD
Icon for Nimbostratus rankNimbostratus
May 06, 2016

Help with MySQL_Proxy iApp

I'm using the MySQL_Proxy iApp to load balance traffic between two MySQL servers. The associated iRule is generating error when clients attempt to connect to the virtual server. Would someone be able...
application delivery
iApps
iRules
LmenD's avatar
LmenD
Icon for Nimbostratus rankNimbostratus
May 10, 2016

I've made some progress on this. I discovered one of the binary scans statements was selected a starting character that came after the user info of the MySQL payload.

I was able to get the client connection working by changing this line from the below

binary scan $clientside_mysql_arg @31A* from_client_user_payload

to this

binary scan $clientside_mysql_arg @4A* from_client_user_payload

Unfortunately, I fixed one problem only to find another. The iRule is not completing the three-way handshake with the actual DB server. It sends the initial syn, the DB servers replies with a syn ack, and then nothing. The F5 never responds to the syn ack and the DB server retransmists the syn ack.

The iRule is erroring out at the "TCP::respond [eval $client_auth_packet]" statement in this section of the iRule.

 when SERVER_DATA {
    if { $authenticated_state($serverside_current_pool) != 1 } {
            log local0.debug "BIG-IP MySQL Proxy -- serverside authenticated flag not set"
            set serverside_payload [TCP::payload]
            binary scan $serverside_payload c3cH2a* serverside_mysql_len serverside_mysql_num serverside_mysql_cmd serverside_mysql_arg

            if { $serverside_mysql_num == 0 && $serverside_mysql_cmd eq "0a" } {
                    log local0.debug "BIG-IP MySQL Proxy -- mysql server: received WELCOME packet"
                    binary scan [findstr $serverside_mysql_arg "\000" 2] i1a8x1B16c1B16x13a12x1 welcome_thread_id welcome_scramble_buff1 welcome_capabilities welcome_language welcome_status welcome_scramble_buff2

                    set welcome_hash_stage $welcome_scramble_buff1
                    append welcome_hash_stage $welcome_scramble_buff2 [sha1 [binary format H40 [class lookup $from_client_user mcom-db-qa.app_data_group]]]
                    binary scan [binary format H40 [class lookup $from_client_user mcom-db-qa.app_data_group]] c* welcome_xor_lhs
                    binary scan [sha1 $welcome_hash_stage] c* welcome_xor_rhs
                    set welcome_xor_buffer [list]
                    foreach l $welcome_xor_lhs r $welcome_xor_rhs {
                            lappend welcome_xor_buffer [expr { $l ^ $r }]
                    }

                     http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol
                    log local0.debug "BIG-IP MySQL Proxy -- serverside responding with client AUTH packet"
                    set client_auth_formatting "B16B16i1c1x23A*x1c1c*A*x1"
                    set client_auth_args [list]
                    lappend client_auth_args 1000111110100010 0000001000000000 1073741824 48 $from_client_user 20 $welcome_xor_buffer $from_client_database
                    set client_auth_length [string length [eval "binary format $client_auth_formatting $client_auth_args"]]
                    set client_auth_packet "binary format s1x1c1$client_auth_formatting $client_auth_length 1 $client_auth_args"

                    TCP::respond [eval $client_auth_packet]
                    TCP::payload replace 0 [TCP::payload length] ""
                    TCP::collect
            }