For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gabriel_Olar_10's avatar
Gabriel_Olar_10
Icon for Nimbostratus rankNimbostratus
Oct 14, 2013

Irule to bypass http profile on APM VS

I have encountered problems with SSL VPN users trying to use port 80 in local network apps other than a Browser. For example a web cam app that ran on port 80 failed to work on SSL VPN but works on Cisco IPsec user vpn connections. Other examples Sametime-chat over port 80 works over any other port but port 80 when connected to F5 SSL. My sales engineer suggested it may be my http profile.

 

He further suggested there may be an Irule to bypass the http profile for specific destination IPs that I could configure. Is there such an Irule?

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
security

8 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 14, 2013

    Gabriel,

     

    As far as i know you can't enable/disable a http profile in an iRule as such (although some individual http profile options you can).

     

    Hopefully your SE can give you a pointer on what part of the profile might be causing your issue.

     

    Hope this helps,

     

    N

     

  • Gabriel_Olar_10's avatar
    Gabriel_Olar_10
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2013

    Thanks for the quick reply, ya I don't know it feels like the http profile is built for web traffic/Apps, so when you try to run port 80 on a different app I would guess the app makes requests in a different way as opposed to a browser. Not really looking to disable the profile just bypass it for certain addresses.

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 14, 2013

    The solution could be to forward specific traffic to another VS without HTTP profile. I do it for a application non RFC compliant.

    when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/company/Reports/"}
{
log local0. "Requete sur Report --> VS_nonHTTP"
virtual /Common/VS_nonHTTP
}
}

    I don't know if it works in your use case, but that could help you out.

    Matt

  • Gabriel_Olar_10's avatar
    Gabriel_Olar_10
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2013

    Thanks so much, can I do this?

     

    when HTTP_REQUEST { if {[HTTP::uri] starts_with "chat.phl.com"}

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 14, 2013

    Yeah or :

    when HTTP_REQUEST { if {[HTTP::uri] contains "chat.phl.com"}
{
Log local0. "HTTP URI contains chat.phl.com"    
virtual /Common/VS_CHAT
}

    And add this log iRule on the second VS (once without HTTP profile)

    when CLIENT_ACCEPTED { log local0. "Connection on NON_HTTP VS"}

    Don't forget to add ressources on the second VS (Pool and members). This VS can have any IP address. It doesn't matter because the connection comes from the first VS.

    Hope this solution will works in your case. Else, enable logs on LTM and try to understand why HTTP profile meets an issue.

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 14, 2013

    You need one VS with an HTTP profile (which seems to meet an issue for you) and one another without. Basically, you need HTTP profile on VS1, I suppose, in order to start an APM session (Landing URI ...). If for any reason, you have an issue with this HTTP profile, the workaround is to forward to another VS without HTTP profile specific flow.

     

  • Duffman_107233's avatar
    Duffman_107233
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2014

    I had a similar issues and just disabled the http pofile in an irule for some non-compliant http. You could try the below. Would be interested in knowing if this works for others?

     

    when HTTP_REQUEST { if {[HTTP::uri] starts_with "/company/Reports/"} { HTTP::disable } }