Forum Discussion
Trying to replace the header host value if it doesn't match 2 conditions
As you told, stream is applied *before* the decompression. But on iRules will I got the payload uncompressed?
If so I can let the compress working as is, and do the irule.
Something like: (shamelessly coppied from devcentral wiki üòâ
when HTTP_REQUEST {
Disable the stream filter for all requests
STREAM::disable
}
when HTTP_RESPONSE {
Check if response type is text
if {[HTTP::header value Content-Type] contains "text"}{
Remove Body onload attribute
STREAM::expression "@onload=\"onLoadBody()\"@@"
Enable the stream filter for this response only
STREAM::enable
}
}
That is it?
Hi Eric,
It depends on what type SSL certificates your web servers are using.
1) if certificates are signed by a public CA, then use following option to validate the certificates.
Trusted Certificate Authorities:: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for server-side processing.
2) if certificates are signed by a Internal CA, then import CA bundle for your internal CA including all chain certs and use it as Trusted Certificate Authority.
Hope this helps,
Nag
Hi NAG,
Thanks for the answer, did it as you say but also fails.
Our certificate ans site are internal so in "Trusted Certificate Authorithy" box of server ssl profile i attach my bundle.
I did some test in this bundle certificate file, including different certificates:
1- Root + Intermediate + Server CA certificates
2- Only root file
3- Only Root + Intermediate CA certificates
4- Only Server CA certificates
All four previous files failed when try to reach web-server.
Doing a pcap i find this:
- Level: Fatal (2)
- Description: Handshake Failure (40)
Thanks :)
- consul_2019Feb 24, 2020
Cirrus
Silly question, did you check the certificate sent back by server in your capture? Alex.
Hi Alex,
I don't check it, I supposed that web-server certificate is correct because if i access directly without passing through F5 it launch properly and certificate is valid and secure.
Maybe is something with cipher/options or something like that ? The rest options of serverssl is configured as default, except those i told you.
Thanks
- consul_2019Feb 24, 2020
Cirrus
Hi, I follow your reasoning - it would be logical to assume that if you can access the server directly from your browser, cert should be ok. Yes, that's true from browser's perspective.
I would suggest take a capture on server side and check in Wireshark that you are definitely getting correct certificate back, and that you are definitely getting a certificate back (and that it's not empty for example). Bypassing F5 might seem like a good idea, but it is not a recommended way to troubleshoot these kinds of issues. :)
Thanks,
Alex
- consul_2019Feb 24, 2020
Cirrus
P.s: I meant do a tcpdump on BIG-IP on server-side facing vlan and then open in Wireshark... Oh if you are in prod, then you may want to do this out of hours or on a change...
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com