Forum Discussion
alex100_194614
Nimbostratus
NimbostratusProblem with stream iRule and SAML idp redirect
Running into following issue here. We have a sharepoint site with web servers listening on some high port and using internal hostname. On the SharePoint virtual server I am applying fallowing iRule to do the html parsing and host header translation:
when HTTP_REQUEST_RELEASE {
Disable the stream filter for all requests by default
STREAM::disable
LTM does not uncompress response content, so if the server has compression enabled
and it cannot be disabled on the server, we can prevent the server from
sending a compressed response by removing the compression offerings from the client
HTTP::header remove "Accept-Encoding"
if {[info exists stream_expr]}{ unset stream_expr }
This we want replace
set stream_expr "@http://sharepoint.something.somedomain.root:14775@https://sharepoint.somedomain.com@"
make sure we have a var to crosscheck before we enable the rewrite in the response
set SPresponse 1
}
when HTTP_RESPONSE { nable the rewrite to fix the hostnames if {[info exists SPresponse]}{
Check if response type is ...
if {[HTTP::header value Content-Type] contains "application/json" || [HTTP::header value Content-Type] contains "text/html" || [HTTP::header value Content-Type] contains "text/xml"} {
if {[info exists stream_expr]} {
STREAM::expression $stream_expr
STREAM::enable}}}}
When SP initiated, SAML IDP process request and redirect me back to my SharePoint Site. However, it seems like before the redirect from IDP gets processed by SAML SP, it gets translated by the irule and SAML authentication process never comes to the completion resulting in 404. When iRule is not being applied it seems like SAML authentication comes to completion but of course the site would not work.
Any idea how to work around this issue.
Hi Alex,
For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:
ltm virtual vs_external { destination 1.1.1.1:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl_profile { context clientside } stream_profile { } http { } tcp { } } rules { forward_internal_virtual saml_stream_expression } } ltm virtual vs_internal { destination 2.2.2.2:80 enabled ip-protocol tcp mask 255.255.255.255 profiles { example_accesspolicy { } http { } rba { } tcp { } websso { } } } ltm rule forward_internal_virtual { when HTTP_REQUEST { virtual vs_internal } }
APHi Alex, So, does this same Virtual Server that you have applied the above iRule to also have an APM Policy with an SP Resource (SAML Auth)? A few points in the meantime, although I can't say that they will solve your issue. The 404 error sounds like your requesting an invalid resource/uri. Have you performed any captures? I notice you're using HTTP_REQUEST_RELEASE. I think you also need to use HTTP_RESPONSE_RELEASE with APM instead of HTTP_RESPONSE. I've had varying results when using Stream Profiles on Virtual Servers with APM as a SAML IDP or SP. Have you noticed any errors in the logs? In those cases I had to create an external VS with the Stream Profile and target another VS with the APM Policy.- APSorry for the blob of text, seems comments don't get the same formatting tools as Answers...
- Kai_Wilke
MVP
Hi Alex,
Don't know if this fixes your problem, but you should keep in mind that
translates HTTP responses and HTTP requests. So if you don't require HTTP request stream replacements, then better move[STREAM::enable]
intoSTREAM::disable
event. Otherwise it may have unintentional side effects on post data...HTTP_REQUESTwhen HTTP_REQUEST { STREAM::disable }In addition, you could use a HTTP-Compression profile instead of the
command. This would allow you to still remove the Accept-Encoding header on the server side (its a default setting) but without losing client side compression.HTTP::header remove "Accept-Encoding"Cheers, Kai
alex100_194614In LTM log I am seen this: TCL error: /Common/irulename_link_rewrite - Operation not supported (line 1) invoked from within "STREAM::disable" In APM Log: Mar 3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 209 Msg: error while reading from socket Connection reset by peer Mar 3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490000:3: AccessPolicyD.cpp func: "process_request()" line: 765 Msg: EXCEPTION AccessPolicyD.cpp line:676 function: process_request - error 2 reading/parsing response from socket Mar 3 18:06:59 QC-BIGIP-03 debug apd[12434]: 01490000:7: AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1835 Msg: send 'error' code Mar 3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490085:3: : Response could not be sent to remote client. Socket error: Broken pipe Mar 3 18:06:59 QC-BIGIP-03 debug apd[12434]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 776 Msg: ** done with the request processing ** Mar 3 18:06:59 QC-BIGIP-03 warning tmm[16831]: 01490531:4: d3ae9f1d: Detected invalid host header (). Mar 3 18:06:59 QC-BIGIP-03 notice tmm[16831]: 01490501:5: d3ae9f1d: Session deleted due to user logout request. If I remove the APM policy the iRule doesn't seem to triger anything in the log and it works. Also it seems that changing HTTP_RESPONSE to HTTP_RESPONSE_RELEASE breaks the irule in my case... I wonder if there is a way to exclude a specific uri from being translated... I am new to stream profile. Thanks for the help..- APHi Alex, That error is what I also experienced and should be caused by a conflict with APM's use of Stream under the hood. You can try the VIP targeting VIP solution I mentioned earlier. I'll put together an example VS config for you shortly.
- AP
Hi Alex,
For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:
ltm virtual vs_external { destination 1.1.1.1:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl_profile { context clientside } stream_profile { } http { } tcp { } } rules { forward_internal_virtual saml_stream_expression } } ltm virtual vs_internal { destination 2.2.2.2:80 enabled ip-protocol tcp mask 255.255.255.255 profiles { example_accesspolicy { } http { } rba { } tcp { } websso { } } } ltm rule forward_internal_virtual { when HTTP_REQUEST { virtual vs_internal } }- APHi Alex, Any luck?
- alex100_194614Andrew, Thanks for the advice. I was able to work around with layered virtual server. It seems like an old bug known for ages. Everything worked out at the end.
Andrew_4752Altostratus
Hi Alex,
For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:
ltm virtual vs_external { destination 1.1.1.1:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl_profile { context clientside } stream_profile { } http { } tcp { } } rules { forward_internal_virtual saml_stream_expression } } ltm virtual vs_internal { destination 2.2.2.2:80 enabled ip-protocol tcp mask 255.255.255.255 profiles { example_accesspolicy { } http { } rba { } tcp { } websso { } } } ltm rule forward_internal_virtual { when HTTP_REQUEST { virtual vs_internal } }- Andrew_4752Hi Alex, Any luck?
- alex100_194614Andrew, Thanks for the advice. I was able to work around with layered virtual server. It seems like an old bug known for ages. Everything worked out at the end.
