F5 XC | Rewrite Redirect functionality
Hi together, for the migration to F5 XC we need to change the location header for certain responses (301,302) to match the hostname of the XC instance. Is there currently a way to configure a rewrite redirect to an F5 XC virtual server? I also couldn't find a configuration option that allows response header manipulation. I am grateful for any hint. Update: i found a feature Request for that functionality: https://www.f5cloudideas.com/ideas/MESH-I-149 but if there are any other ideas pls share with me 🙂1.3KViews0likes8CommentsA quick post on how F5 XC Health Checks are different from BIG-IP
F5 Distributed Cloud (F5 XC) HTTP Health Checks (HC) behave differently from the basic HTTP Health Check from the beloved BIG-IP platform that F5 is known for. Because of this difference, some of your testing and real-world experiences may be a little different. One issue you may encounter is the difference in TCP/HTTP connection handling. On BIG-IP, the HTTP HC sends a HTTP/0.9 style GET request. With HTTP/0.9, there is no persistent TCP session, and every check is a brand-new request. By default, in F5 XC, XC will send HTTP/1.1 requests with the default behaviour of Connection: keep-alive set. This may result in Health Checks continuing to work even though new client sessions may be blocked. If this isn't desired for your health checks, you can change to a single use style health check by adding the HTTP header: Connection: Close to your health check. Here's a table that shows the GET requests and responses between BIG-IP and XC. HTTP Requests BIG-IP Basic HTTP XC Basic HTTP Get Request Hypertext Transfer Protocol GET /\r\n \r\n [HTTP request 1/1] Hypertext Transfer Protocol GET / HTTP/1.1\r\n host: demo.com\r\n user-agent: Envoy/HC\r\n \r\n [Full request URI: http://demo.com/] [HTTP request 1/1] Response Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n X-Frame-Options: ALLOW-FROM \r\n Content-Type: text/html; charset=utf-8\r\n Vary: Accept-Encoding\r\n Date: Tue, 21 Mar 2023 15:59:11 GMT\r\n Connection: close\r\n \r\n [HTTP response 1/1] [Time since request: 0.001904999 seconds] [Request in frame: 14] [Request URI: /] Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n X-Frame-Options: ALLOW-FROM \r\n Content-Type: text/html; charset=utf-8\r\n Vary: Accept-Encoding\r\n Date: Tue, 21 Mar 2023 16:18:44 GMT\r\n Connection: keep-alive\r\n Keep-Alive: timeout=5\r\n Transfer-Encoding: chunked\r\n \r\n [HTTP response 1/1] [Time since request: 0.080959858 seconds] [Request in frame: 4] [Request URI: http://demo.com/] HTTP chunked response Here is the JSON payload to create your own Health Check with the Connection Close header set: { "metadata": { "name": "hc-http-connectionclose-200-302", "namespace": "shared", "labels": {}, "annotations": {}, "disable": false }, "spec": { "http_health_check": { "use_origin_server_name": {}, "path": "/", "use_http2": false, "headers": { "Connection": "Close" }, "request_headers_to_remove": [], "expected_status_codes": [ "200", "302" ] }, "timeout": 3, "interval": 15, "jitter": 0, "unhealthy_threshold": 1, "healthy_threshold": 3, "jitter_percent": 30 } } Thanks for reading and best of luck in your journey with F5 Distributed Cloud.1.5KViews8likes2CommentsAcronyms
Acronyms, are used all the time and the author /presentor is usually convinced that everyone in the audience understands what they mean, but every once in a while you hear or read something that you are not sure of the meaning. We are all professionals, that do not want to look like we are the only one in the room who does not know. So after hearing a talk or reading an article we often find ourselves looking it up; this can become confusing because acronyms mean different things when we search outside our field. For example CEwhat does it mean? The letters "CE" are the abbreviation of French phrase "ConformitéEuropéene" which literally means "European Conformity". In the dictionary you will probably find CE meaningCommon Era or ChristianEra.When looking for a more modern meaning, we will find it may mean Consumer Electronics. But here in our community, when someone writes CE, they mean Customer Edge. Here, you have, at your fingertips a list of acronyms, unconfused with other fields. Please let me know ifI missedany acronyms so I can add them to our list. A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | A ACL - Access Control List ADC -Application Delivery Controller ADN -Application delivery network ADO - Application Delivery Optimization ALG - Application Layer Gateway AI - Artificial Intelligence AJAX - Asynchronous JavaScript and XML API - Application Programming Interface APM - Access Policy Manager ASM - Application Security Manager (F5’s Application Security Manager™ ASM is also known as BD) AWAF - Advanced Web Application Firewall AWS - Amazon Web Services B BaDos -Behaviour AniDDoS (Behaviour AniDDoS, an F5 product that is used against DDoS) BDM -- Business Decision Maker BGP - Border Gateway Protocol BOO - Build Once Only C CDN -Content Delivery Network CE - Customer Edge CGNAT - Carrier Grade NAT CIA triad - Confidentiality, Integrity,Availability (triad Security model) CIFS - Common Internet file system CRS - Core RuleSet CRUD -Create , Read, Update, Delete CSRF - Cross-Site Request Forgery, also known as XSRF CUPS - Control Plane and User Plane Separation CVE - Common Vulnerabilities and exposures CVSS - Common Vulnerability Scoring System D DAP - Digital Adoption Plateform DAST - Dynamic testing. (Examples of such tools Qualys and Nessus) DB - Database DC - Direct Communication / Direct Connect DDoS - Distributed Denial-of-Service DGW - Default Gateway Weight Settings Protocol (DGW) DHCP - Dynamic Host Configuration Protocol DIO - Distribution Initiated Opportunity DLP - Data Loss Protection DMZ - Demilitarized Zone [Demilitarized Zone DNS - Domain Name System DoH - DNS over HTTP DoT - DNS over TLS DPIAs - Data Protection Impact Assessment DRP - Disaster Recovery Plan DSR - Data Subject Rights E ELA - Enterprise License Agreement EDPB - European Data Protection Board EDR - Endpoint Detection and Response EPP - Endpoint Protection Platforms EUSA - End User Software Agreement F FIPS - Federal Information Processing Standards FPGA - field-programmable gate array FQDN - Fully Qualified Domain Name FRR - FRRouting G GDPR - General Data Protection Regulations GKE - Google Kubernetes Engine GPU - Graphic Processing Unit GSLB - Volterra’s Global Load Balancing gRPC - Google Remote Procedure Call H HIPAA - Health Insurance Portability & Accountability Act HMAC -Hash-based message authentication HSL - High-Speed Logging HTTP - Hypertext Transfer HTTPS - Hypertext Transfer Protocol I IANA- Internet Assigned Numbers Authority IBD - Integrated Bot Defense ICO - Information Commission Office IDS - Intrusion Detection System IIoT -Industrial Internet of Things ILM - Information Lifecycle Management IoT - Internet of Things IPAM- IP Address Management IPSec - Internet Protocol Security IR - Incidence Response ISO - Standardization Organization ISP- Internet Service Provider J JS - Javascript K KMS - Key Management Service / Key Management System KPI - Key Performance Indicator KV - Key Value k8s - Kubernetics L L7 - Layer 7 - The application layer LB - Load Balancer LBaaS - Load Balancing as a Service LDAP -Lightweight Directory Access Protocol LFI - Local File Exclusion attack LTM - Local Traffic Manager M MAM - Mobile Application Management MDM - Mobile Device Management MFA - Multi-Factor Authentication MitM - Man in the Middle ML - Machine Learning MSA - Master Service Agreement MSP - Managed Service Provider MT - Managed Tenant mTLS - Mutual Transport Layer Security MUD - Malicious User Detection MUM - Malicious User Mitigation N NAP - Network access point NAS - Network-Attached Storage NAT- Network Address Translation NIC - NetworkInterface Cards NFV - Network functions NFVI - Network functions virtualization NPU - Network Processing Units O OAS - OpenAPI Specification (Swagger) OPA - Open Policy Agent OT - Original Tenant OWASP - Open Web Application Security Project P PAAS - Platform as a service (PaaS PBD - Proactive Bot Defence. PCI DSS - Payment Card Industry Data Security Standard. PBD - Privacy by Design PE - Portable executable PFS - Perfect Forward Secrecy PIA - Privacy Impact Assessments PII - Personally identifiable information POP - Point of Presence Q QoS -Quality of Service R RBAC - Role based Access control RCE - Remote Code Execution RDP- Remote Desktop Protocol RE - Routing Engine, Regional Edges REST - Representational State Transfer *[[Rest API -Representational State Transfer]]* RFI - Request For Information OR Remote File Inclusion vulnerability attack RFP - Request for Proposal RPC - Remote Procedure Call RSA – (Rivest–Shamir–Adleman) is a public-key cryptosystem RTT - Round Trip Time S SAM - Security Accounts Manager SAML - Security Assertion Markup Language SCIM - System for Cross-domain Identity Management SCP - Secure Copy Protocol SCP - Server Communication Proxy SDC - F5 Security and Distributed Cloud SDK - Software Development Kit SDN - Software Defined Network SE - Solutions Engineer SIEM - Security Information & Event Management SLA - Service Level Availability SLED -State,Local Government and Education SLI - Service Level Indicator SNAT- Source Network Address Translation SOC - Security Operations Center SP - Service Provider SPK - Service Proxy for Kubernetes SRE - Site reliability engineering SRT - Security Research Team at F5 SSD - Solid State Drive SSL - Secure Sockets Layer SSO - Single Sign On SSRF - Server-side request forgery STRIDE - Spoofing, Tampering,Repudiation,Information Leakage, Denial of Service, Elevation of Privilege (a TMA Model) T TCL - Tool Command Language TCP - [Transmission Control Protocol TDM -Technical Decision Maker TLS - Transport layer Security TMA - Threat Model Assessment TO - Tenant Owner TOCTOU - Time of Check vs Time of Use TOI - Transfer of Information TTFB - Time to First Bit TTL - Time to Live U UAM - User Access Management UI - User Interface URI - Uniform Resource URL - Uniform Resource Locator UX - User Experience V VER - Volterra Edge Router VES - Volterra Edge Services VIF - virtual interface VIP - Virtual IP address VM - Virtual Machine Vnet - Virtual network VPC - Virtual Private Cloud VPN - Virtual Private Network VRS - Volterra Rules Set W WAAP - Web Application& API Protection WAF - Web application firewall WPA3 - Wi-Fi Alliance Access 3 X XML - Extensible Markup Language [XML - Wikipedia](https://en.wikipedia.org/wiki/XML) XSS - Cross Site Scripting XSRF - Cross-Site Request Forgery, also known as CSRF Y Z ZTNA -Zero Trust Network Access ZTP - Zero-Touch Provisioning ZTS - Zero Trust Security4.8KViews5likes5CommentsF5 XC | Stuck at VIRTUAL_HOST_PENDING_A_RECORD
I have a running OWASP Juice Shop in Azure and have assigned a public IP on it. Trying to build a load balancer using XC. I am stuck at theVIRTUAL_HOST_PENDING_A_RECORD status. Question is do I need to use my own DNS to create a domain name entry for my load balancer? Can I do anything to bypass this or any workaround you may have?Solved2.7KViews0likes6CommentsGlobal Log Receiver
Hey, I'm trying to configure an HTTP Load Balancer with a Global Log Receiever, I saw that it is unavailable in the Free Plan so I switch to the Individual Plan but the Global Log Receiver feature is still locked. What do I need in order to unlock it? Thanks!Solved1.6KViews0likes3CommentsXC Backup via API
Hi Floks, I would like to automate the backup (and restore if needed!) of my XC configurations via the API. What is the best way, can I save all the configurations at once, should I save the namespaces completely, one by one or should I save each object of a namespace (pool, healthcheck, HTTP LB, App FW...)? Or maybe it's doable per service? In short, what is the smartest way to make a complete backup of the confs? Thanks.Solved1.3KViews1like3CommentsAccess Logs - Invalid Tenant
Hey, I'm following this tutorial:https://docs.cloud.f5.com/docs/how-to/others/get-access-logsand when I run the `curl` command I get: "Invalid tenant. you'll be redirected to main login page.". I took the Tenant ID from "Home->Administration->Tenant Settings->Tenant ID" for the `curl` command. Would appreciate help regarding why I'm getting this message and what can I do to fix that. Thanks in advance.Solved1.2KViews0likes3CommentsHandle False Positive for files upload
Hi folks, I'm wondering how to handle uploading files through XC. For example, I have a URL used for uploading files to a web application, say /upload. The files appear to be scanned by XC which detects and triggers many attack signatures. According to my tests they are all false positives. A concrete example of trigered signature: Signature ID 200104770 name: JSP Expression Language Expression Injection (3) (Parameter) attack_type:ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION matching_info:Matched 62 characters on offset 1 against value: "'F${F=;_V>`chRm]8L{go4*tQ$hy8vNOb0Q3~!OzWOBG*wp?:zA>S[e=}!u1^s4_'." The habit I had on ASM was to disable problematic signatures on this type of URL. Is there a more relevant way to handle these cases on XC? Many thanks.Solved1.7KViews0likes6Comments
Group Content
About Distributed Cloud Users
Discuss the integration of security, networking, and application delivery services
Owned by: Rebecca_Moloney, DinaS, mlangdon, and LiefZimmermanCreated: 2 years agoOpen Group
Boards
XC Users Forum
Open conversations with staff and peers about F5 Distributed Cloud Services.Mar 22, 202323 Posts XC Users Articles
Authoritative information from F5 Distributed Cloud Services subject matter experts for you, the community.Dec 01, 202312 Posts XC Users Suggestions
Provide ideas and feedback to F5 staff on how to improve the usefulness of this community group.0 Posts