Forum Discussion

JNeilson_117973's avatar
JNeilson_117973
Icon for Nimbostratus rankNimbostratus
Aug 02, 2018

BIG-IP DNS SNI monitoring

We are trying to get a SNI monitor to work on a BIG-IP DNS to a generic host. Using the external ADFS monitors the checks fail. When running a CURL to the destination servers we receive Unknown SSL protocol error in connection while a openssl test returns the cert and the CN we are grepping for but the moniotr still fails.

We have tried with the standard ADFS external monitor provided by F5 along with the amended version for TLS1.1 and above. Also tried another custom one from Devcentral. Can anyone provide any pointers in how we could get this to work?

Monitor 1:

!/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)

NODE=

echo ${1} | sed 's/::ffff://'
if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/
basename ${0}
.sni_monitor_${HOST}_${PORT}_${NODE}.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9
cat $PIDFILE
> /dev/null 2>&1 fi echo "$$" > $PIDFILE (echo -e "GET $URI HTTP/1.1\r\nHost: $HOST\r\nConnection: Close\r\n\r\n"; sleep 2) | openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -servername '$HOST' STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit

Monitor 2

!/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)

NODE=

echo ${1} | sed 's/::ffff://'
if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/
basename ${0}
.sni_monitor_${HOST}_${PORT}_${NODE}.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9
cat $PIDFILE
> /dev/null 2>&1 fi echo "$$" > $PIDFILE curl-apd -k -i --resolve $HOST:$PORT:$NODE https://$HOST$URI | grep -i "${RECV}" > /dev/null 2>&1 STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit

Monitor 3

!/bin/bash

pidfile="/var/run/$MONITOR_NAME.$1..$2.pid"

if [ -f $pidfile ] then kill -9 -

cat $pidfile
> /dev/null 2>&1 fi

echo "$$" > $pidfile

node_ip=

echo $1 |sed 's/::ffff://'
node_port=$2

getscript () { echo 'GET / HTTP/1.1' echo 'Host: ..*.com' echo '' while sleep 0; do echo 'quit\n' done }

docurl () { IFS=$'\n' arr=($(getscript | openssl s_client -connect ...:443 -servername ...com 2>/dev/nul |grep -E CN=...com)) unset IFS }

docurl

echo ${arr[0]}

if [ -n "${arr[0]}" ] then Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" fi

Remove the pidfile before the script ends

rm -f $pidfile

No RepliesBe the first to reply