Could not login with a VS on F5

FAJUMO · ‎14-Jan-2022

We have an application on port 8181 and was passed through reverse proxy.

Once we access the Application with its real IP, we can login.

but when we login in with the reverse proxy IP/FQDN we get this error : Unable to submit form.

Please i need your expertise on the issue

KeesvandenBos · ‎14-Jan-2022

Hi Fajumo,

Could you share the configuration of the virtual server handling the reverse proxy requests?

the command is: tmsh list ltm virtual <name of the virtual server>

and any irules connected to this virtual server.

Cheers,

Kees

FAJUMO · ‎14-Jan-2022

ltm virtual reverseproxy.etisalat.com.ng {

description "Central VS to handle the untrusted published applications"

destination 41.190.21.150:https

ip-protocol tcp

mask 255.255.255.255

profiles {

Etisalat_tcp-lan-optimized {

context serverside

}

Etisalat_tcp-wan-optimized {

context clientside

}

etisalat_http_profile { }

etisalat_stream_profile { }

serverssl {

context serverside

}

wildcard1.9mobileng.com {

context clientside

}

rules {

Reverse_proxy_irule

}

source 0.0.0.0/0

source-address-translation {

type automap

}

translate-address enabled

translate-port enabled

vlans {

ExtVLAN

}

vlans-enabled

vs-index 143

FAJUMO · ‎14-Jan-2022

Irule is too long to add here. please send me email to send it to

KeesvandenBos · ‎14-Jan-2022

Questions.

The webserver is listening on port 8181, it this HTTPS??

Do you need the stream profile for the Reverse_proxy_irule?

Please post the irule here (you can use the Code Snippet button to make it more readable.

Cheers,

Kees

FAJUMO · ‎14-Jan-2022

when HTTP_REQUEST {

STREAM::disable

SSL::disable serverside

interconnectuat.9mobile.com.ng {

log local0. "[HTTP::host] detected. Going to send to Pool interconnectuat.9mobile.com.ng"

SSL::enable serverside

pool interconnectuat.9mobile.com.ng

}

KeesvandenBos · ‎14-Jan-2022

Ok, during the login, are there any error's in /var/log/ltm related to this irule?

FAJUMO · ‎14-Jan-2022

I tried to get a capure but did not see any hit

1. Create a new decryption irule:

when CLIENTSSL_HANDSHAKE {

log local0. "Client IP: [IP::client_addr] TCP source port: [TCP::remote_port] client"

log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"

log local0.debug "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"

}

when SERVERSSL_HANDSHAKE {

log local0. "Client IP: [IP::client_addr] TCP local port: [TCP::local_port] server"

log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"

log local0.debug "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"

}

2. Add this irule to your VS which is handling the affected traffic.

3. Run tcpdump:

tcpdump -envi 0.0:nnnp -s0 -w /var/tmp/"$HOSTNAME"_"$(date +%d-%m-%y)".pcap host <Your-client-IP>

4. Generate traffic and catch the problem.

5. Stop tcpdump

6. Disable decryption irule

7. Run below commands to create the files with session keys:

sed -e 's/^.*$RSA Session-ID$/\1/;tx;d;:x' /var/log/ltm > /shared/tmp/sessionsecrets.pms

grep -h -o 'CLIENT_RANDOM.*' /var/log/ltm > /shared/tmp/sessionsecrets_random.pms

FAJUMO · ‎14-Jan-2022

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://10.161.33.126:8181/wbs_RESTAPI/authenticateUser. (Reason: CORS request did not succeed). Status code: (null).

KeesvandenBos · ‎14-Jan-2022

https://docs.microsoft.com/en-us/answers/questions/450359/cross-origin-request-blocked-the-same-orig...

DevCentral

Could not login with a VS on F5

MFA required on DevCentral