Creating an iRule from external source using AS3
I am attempting to create a new iRule using AS3 by pointing to an external file and can't seem to get the declaration and/or rule correct. I am receiving the below error when trying as is. I have tried iterations of braces around each when clause and around the entire iRule, but can't seem to get the syntax right. Anyone have any luck with this? If not, how are you declaring complex iRules within your AS3 declaration without having to manually escape all the json special characters? Error: {"message":"Declaration failed: 01070151:3: Rule [/Common/Shared/log4j_mitigation] error: /Common/Shared/log4j_mitigation:1: error: [braces are required around the expression][when HTTP_REQUEST {\n # Version 2.0 - 2021-12-11 23:40 Eastern\n # - Handling nested URI encoding\n # - Improved matching\n # Version 1.0 - 2021-12-11 06:10 Eastern\n # - Initial release\n # less aggressive regexp for those concerned about false positives \\\"\\\\$\\\\{(\\\\$\\\\{env:[^:]+:-|\\\\$\\\\{[a-z]+:)\\?j\\\\}\\?(\\\\$\\\\{env:[^:]+:-|\\\\$\\\\{[a-z]+:)\\?n.+:.+\\\\}\\\" (remove quotes)\n # very aggressive regexp \\\"\\\\$\\\\{.+\\?\\\\}\\\" (remove quotes)\n # URI – based on 200004474\n set tmpUri [HTTP::uri -normalized]\n set uri [URI::decode $tmpUri]\n while { $uri ne $tmpUri } {\n set tmpUri $uri\n set uri [URI::decode $tmpUri]\n }\n if {[string tolower $uri] matches_regex {\\\\$\\\\{}} {\n log local0. \\\"log4j_rce_detection drop on URI: $uri\\\"\n drop\n event disable all\n return\n }\n set tmpReq [HTTP::request]\n set req [URI::decode $tmpReq]\n while { $req ne $tmpReq } {\n set tmpReq $req\n set req [URI::de","level":"error"} iRule: when HTTP_REQUEST { # Version 2.0 - 2021-12-11 23:40 Eastern # - Handling nested URI encoding # - Improved matching # Version 1.0 - 2021-12-11 06:10 Eastern # - Initial release # less aggressive regexp for those concerned about false positives "\$\{(\$\{env:[^:]+:-|\$\{[a-z]+:)?j\}?(\$\{env:[^:]+:-|\$\{[a-z]+:)?n.+:.+\}" (remove quotes) # very aggressive regexp "\$\{.+?\}" (remove quotes) # URI – based on 200004474 set tmpUri [HTTP::uri -normalized] set uri [URI::decode $tmpUri] while { $uri ne $tmpUri } { set tmpUri $uri set uri [URI::decode $tmpUri] } if {[string tolower $uri] matches_regex {\$\{}} { log local0. "log4j_rce_detection drop on URI: $uri" drop event disable all return } set tmpReq [HTTP::request] set req [URI::decode $tmpReq] while { $req ne $tmpReq } { set tmpReq $req set req [URI::decode $tmpReq] } # Header – looks for ${j…} or ${${…}} if {[string tolower $req] matches_regex {\$\{\s*(j|\$\{).+?\}}} { log local0. "log4j_rce_detection drop on header: $req" drop event disable all return } # Payload – looks for ${j…} or ${${…}} if {[HTTP::method] eq "POST"}{ # Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } # Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { set tmpPayload [HTTP::payload] set payload [URI::decode $tmpPayload] while { $payload ne $tmpPayload } { set tmpPayload $payload set payload [URI::decode $tmpPayload] } if {[string tolower $payload] matches_regex {\$\{\s*(j|\$\{).+?\}}} { log local0. "log4j_rce_detection drop on payload" drop event disable all } } AS3 json: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "molecule_192.168.121.79_1642700459", "label": "molecule_192.168.121.79_2022-01-20T17:40:59Z", "remark": "DTI f5 as3 declaration for molecule_192.168.121.79", "Common":{ "Shared": { "class": "Application", "log4j_mitigation": { "class": "iRule", "iRule": { "url": { "skipCertificateCheck": true, "url": "https://xxxxxxx/Bradley.Anderson/irules_test/-/raw/main/log4j_mitigation.irule" } } }, "template": "shared" }, "class": "Tenant" },"Molecule":{ "Molecule-API": { "class": "Application", "molecule_api": { "class": "Service_HTTP", "pool": "molecule_api_pool", "virtualAddresses": [ "192.168.100.101" ] }, "molecule_api_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.5", "10.0.1.6" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "Molecule-Web": { "class": "Application", "molecule_web": { "class": "Service_HTTP", "pool": "molecule_web_pool", "virtualAddresses": [ "192.168.100.100" ] }, "molecule_web_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.3", "10.0.1.4" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "class": "Tenant" },"Foo":{ "Foo-Web": { "class": "Application", "foo_web": { "class": "Service_HTTP", "pool": "foo_web_pool", "virtualAddresses": [ "192.168.100.102" ] }, "foo_web_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.7", "10.0.1.8" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "class": "Tenant" }} }BIG-IQ & AS3 Template using Certificates uploaded to BIG-IQ
Good Day - Currently I am running BIG-IQ version 8.2.x, and we are deploying / migrating all legacy applications over to BIG-IQ AS3 templates. Currently we utilize a BYOC (Bring your own Certificate) model, where end users will need to download certs, copy and past into the applicaiton via BIG-IQ. I do not have the API process setup just yet, but they are bound by the AS3 template created in BIG-IQ. We are now looking at intergrating BIG-IQ with Venafi 22.4.1.2245. What I am trying to figure out is the following? My thought would be Venafi automated process to import/upload as in the link below into BIG-IQ, and then with the Veanfi intergration certificates could be set to auto renew, and the app owner would just need to republish their applicaiton to update certificate. https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/HowToSamples/bigiq_public_api_wf/t_import_cert_and_key.html But now I am trying to how to link the AS3 templates for the applications to the certificate now imported into BIG-IQ. The values I have within the Certificate section of the AS3 template are the following: Base64 (We are not using this) Text (this what we are using for BYOC process where users copy and paste txt version of cert but looking to improve with the process above) Resource URL (I tried using similar for my cert like the below links from the above import article, but this is not working, for it is giving a pointer error) (Question? could this be a url to Venafi where it could download the certificate automatically?) https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-key/ed0168ee-696f-3036-8266-7b81c4840246 https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert/9c6dfe1c-7d89-3447-bf35-e58c88904a7c Copy from (I tried this with all different variants from the import document, but I just keep getting F5pointer error) Does anybody know how to use this to pull the certificate in? BIG-IP component pathname (This will not work as the cert would need to be pushed to the BIG-IP) Anybody have any thoughts on this? My goal is to not have to do any Certificate Management apsect, just either profile the link to where cert can be pulled from via BIG-IQ or Venafi when a user deploys the application. Ideally would be using the process to import the cert, and referencing this cert on BIG-IQ at deployment time? Any help would be greatly appreciated. Thx
Export existing config to AS3 declaration
Hi all, I was study the new way to create configs on a f5 with AS3 and the "declarative model". I like the approach and now I try to find a solution to export an existing f5 config to an AS3 declaration. Anyone know how to do this? The goal is to use an existing config as a AS3 declaration for a DR site cluster. Thanks, Peter
AS3 server node declaration
Hi all, I'm experimenting with AS3 declarations for configuring LTM services on BIG-IP nodes and can't seem to find a way to directly define static server nodes (create ltm node ..) - the only way they get created is by configuring pool with static members. Any ideas on what is the rationalle behind it? thanks, VytautasAS3 Shared Objects and Virtual Service Address Lists
Below is a declaration that will create a virtual service that has a host 1.1.1.50/32 as the allowed source host. How in AS3 do you create a shared object address list if that is possible, or if that is not possible how do reference an existing address list in the declaration so I can specify multiple source hosts rather than a subnet? { "class": "AS3", "action": "patch", "patchBody": [ { "op": "add", "path": "/{{tenant}}/testvip", "value": { "class": "Application", "template": "generic", "testvip_http_8080": { "class": "Service_HTTP", "snat": "auto", "virtualPort": 8080, "virtualAddresses": [ ["10.10.10.10", "1.1.1.50/32"] ], "iRules": [], "pool": "testvip_tcp_8080_pool", "persistenceMethods": [] }, "testvip_tcp_8080_pool": { "class": "Pool", "monitors": [ { "use": "testvip_http_8080_monitor" } ], "loadBalancingMode": "least-connections-member", "members": [ { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "2.2.2.2" ], "hostname": "server1" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "3.3.3.3" ], "hostname": "server2" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "4.4.4.4" ], "hostname": "server3" } ] }, "testvip_http_8080_monitor": { "class": "Monitor", "monitorType": "http", "send": "GET /keepalive.txt HTTP/1.0", "receive": "200" } } } ] }