We had Published website on F5 with Domain name ,now created domain is aviable in public ,but publish website is also accessible with ip address in public domain.( we have created server pool )
Website must be only accessible through Domain name only .
We tried to created iRule for same Domain but its given error to assign HTTP profile .
We tried to applied HTTP profile to domain but domain virtual server pool go down and domain is unaviable .
seems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.
For your problem, solution via iRule is a viable. also you could utilize LTM Policies. But as you describe you can't add the iRule (which is based on HTTP Events) because you do not have any HTTP Profile on Virtual Server. This Profile is required to validate or manipulate data on HTTP Layer.
And as you described you also have application issues if you apply an HTTP Profile it seems that the Application is protected by SSL / TLS. In this case you would also need an Client SSL / Server SSL profile
So the F5 will be able to decrypt and encrypt the connection and after that apply the http profile to make your iRule work.
But most important: Get an updated F5. This software Version is old and has maaaaaany Security and operating flaws
All Setting Successfully applied .Now i can access website with only domain name ,BUT while accessing website with domain its show my ssl certificate is expired .Treid to view same certificate it show some IT or local certificate .
As earier my website ssl certificate is secure and working.
seems you have not used your Domain certificate under client ssl profile , check thebelow link to upload your CA domain certificate and key to bigip and followed to that you need to create client ssl profile point to your Domain certificate/key and any chain certificate.
hope you have multiple domains mapped to each virtual and need to restrict to request with domain not IP based with a single irule.
for this you can use the irule with datagroup , where datagroup have list of domains
eg:
when HTTP_REQUEST { set domain [HTTP::host]
if {![class match $domain equals mydomain-DG} { HTTP::respond 403 "Forbidden" drop } }
as per this irule if the request doest match the domain in mydomain-DG datagroup then it will be de dorped. , you need to create a datagroup named mydomain-DG and the you domains
Now my webiste is up and working with domain name , but after making virtual server for Domain
i am getting incoming interface IP address instead of original Public source ip address in logs for virtual server in firewall which is placed below F5 ( i can see orginal Public source ip address in F5 logs but not in Firewall )
Traffic Flow
Public Network-------------->F5--------------------->FIREWALL
I am use SNAT for Published Domain.
Is there any setting in Virtual pool /Server ,where i can get orginal public address in F5 and Firewall logs.
As you have enabled SNAT, you will see the F5 interface or SNAT pool ip in your backendserver logs or Any firewall in between as source IP.
one way to get the actual client IP in server for HTTP based traffic is to use the X-forwarded-For in http profile and modify the Webserver to use the X-forwarded-for value from header as client IP (not sure your firewall can see the http header value)
other way is to use the F5 interface/floating IP as default gateway in your backendservers and disable SNAT.
Could you please send the irule script that you use now.
> it's mandatory to assign http profile for this irule. > although you have a non supported version and you need to upgrade , but try the below irule script :
when HTTP_REQUEST {
if { ([HTTP::host] != "www.example.com") } {
reject
}
}
> Replace "www.example.com" by your correct FQDN. and let me know the results
