For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jace_45978's avatar
Jace_45978
Icon for Nimbostratus rankNimbostratus
Aug 14, 2013

VIP address gets member port appended in URL

Hey all,

 

have a virtual which has a irule to determine which pool traffic gets routed to based on URL. Which seems to work for the most part. The initial page works fine, but other items in the url such as .css, .js, .gif get the pool member port appended in the url which causes error. (added picture below)

 

config info: virtual: virtual www23.xx.com-qa-80 { snatpool automap destination 10.88.9.10:http ip protocol tcp rules QA-SSM-pool-rule persist universal-irule-persistence profiles { http-xff {} oneconnect {} tcp-lan-optimized {} } }

 

rule: rule QA-SSM-pool-rule { when HTTP_REQUEST {

 

log local0. "Request for [], from [IP::client_addr]"

switch -glob [string tolower [HTTP::uri]] {

 

"/ssmadmin1/*" {pool QASSM1_Pool}

 

"/ssmserver1/*" {pool QASSM1_Pool}

 

"/ssmadmin2/*" {pool QASSM2_Pool}

 

"/ssmserver2/*" {pool QASSM2_Pool}

 

"/ssmadmin3/*" {pool QASSM3_Pool}

 

"/ssmserver3/*" {pool QASSM3_Pool}

 

"/ssmadmin4/*" {pool QASSM4_Pool}

 

"/ssmserver4/*" {pool QASSM4_Pool}

 

"/ssmadmin5/*" {pool QASSM5_Pool}

 

"/ssmserver5/*" {pool QASSM5_Pool}

 

"/ssmadmin6/*" {pool QASSM6_Pool}

 

"/ssmserver6/*" {pool QASSM6_Pool}

 

"/ssmadmin7/*" {pool QASSM7_Pool}

 

"/ssmserver7/*" {pool QASSM7_Pool}

 

"/ssmadmin8/*" {pool QASSM8_Pool}

 

"/ssmserver8/*" {pool QASSM8_Pool}

 

"/ssmadmin9/*" {pool QASSM9_Pool}

 

"/ssmserver9/*" {pool QASSM9_Pool}

 

"/ssmadmin10/*" {pool QASSM10_Pool}

 

"/ssmserver10/*" {pool QASSM10_Pool}

 

"/ssmadmin11/*" {pool QASSM11_Pool}

 

"/ssmserver11/*" {pool QASSM11_Pool}

 

"/ssmadmin12/*" {pool QASSM12_Pool}

 

"/ssmserver12/*" {pool QASSM12_Pool}

 

default { discard } } } }

 

just 1 pool member example which is the pool currently being used in jpg attached: pool QASSM12_Pool { monitor all tcp members { 10.88.10.147:10066 {} 10.88.10.148:10066 {} } }

 

http profile: profile http http-xff { defaults from http redirect rewrite none insert xforwarded for enable }

 

results from HTTP WATCH:

 

as you can see in the image there are some errors and it would appear that the VIP has the pool member port appended which there is no VIP for the port appended in the URL. So how does one stop the port from being added to the url and we don't want to create a new VIP for this specific port which I believe would fix the issue but is not desired. supposibly the web server had to add a virtual host of 10.88.9.10:10066 to even get the app going. any help is appreciated. Gladly share more info if needed. thanks

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
security

2 Replies

  • HHeredia_36237's avatar
    HHeredia_36237
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2013

    iRule seems Ok at a glance. Are you pretty sure that the server is not redirecting traffic to hostname:10066?

     

    How about connecting directly to the server (not tru BIG-IP) and see what happens?

     

    Regards, hheredia

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 15, 2013

    Yes, I'd check for response content that refers to the webserver port. You can either modify the server config to reference itself with the public facing port or use an iRule to rewrite the response headers and/or payload from the server port to the public facing port.

     

    Here's an example to rewrite the server port: https://devcentral.f5.com/wiki/iRules.RewriteHTTPRedirectPort.ashx

     

    To rewrite the response payload, you can use a stream profile and STREAM::expression based iRule:

     

    https://devcentral.f5.com/wiki/iRules.stream__expression.ashx

     

    Combining those, you could try something like this:

     

    when HTTP_REQUEST {

     Save the requested host value
    set host [string tolower [HTTP::host]]

     If the HTTP host header is blank, use the VS IP address
     If the VS IP is not routable for clients, hard code a routable IP
     to replace [IP::local_addr]
    if {$host eq ""}{set host [IP::local_addr]}

     Disable the stream filter by default
    STREAM::disable
}
when HTTP_RESPONSE {

     Rewrite the Location header to remove the server port
    if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]] contains $host} {
        HTTP::header replace Location [string map -nocase "$host:[TCP::remote_port] $host" [HTTP::header Location]]
    }

     Check if response type is text and host isn't null
    if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{

         Replace $host:8888 with $host
        STREAM::expression "@$host:[TCP::remote_port]@$host@"

         Enable the stream filter for this response only
        STREAM::enable

    }
}