AS3 Monitoring multiple ports selectively
Hi, I have nodes listening on port 80, 81, 82, 83. the port 80 is mandatory and at least one out of the other 3 ports is mandatory. with manual configuration, I put the port 80 monitor at the node level and the other 3 ports at pool member level. with AS3, the node level monitoring does not exist. what are the other options given that all my deployments are based on AS3. thanks. OMAS3 ACC Conversion
hi, I have a qkview extracted from a bigip r5600 running 17.1.1 version. I have imported the qkview to vscode and converted it to as3 using ACC. When I try to post the declaration, I have errors about ssl certificate not being found even though the certificates are in place. the fact is, when the configuration has been created in the first place on F5 via the GUI, there is no concept of PATH under domain partition, and now with AS3 I have this Shared App that has been added to the configuration. What is exactly the right process of converting to AS3 via ACC when the original configuration qkview file does not have any Application subfolder just Admin partition (i.e Tenant) ? here is the error I am getting right now { "id": "82530133-0b46-46c3-97a5-68766a5a663f", "results": [ { "code": 422, "message": "declaration failed", "response": "01070277:3: The requested key (/TENANT1/Mycert-2024) was not found.", "host": "localhost", "tenant": "TENANT1", "runTime": 2739, "declarationId": "urn:uuid:bdc310a7-31ad-4f07-bf96-2566912cd989" } ], "declaration": { "class": "ADC", "schemaVersion": "3.37.0", "id": "urn:uuid:bdc310a7-31ad-4f07-bf96-2566912cd989", "label": "Converted Declaration", "remark": "Generated by Automation Config Converter", "controls": { "class": "Controls", "userAgent": "vscode-f5/3.16.1", "archiveTimestamp": "2024-03-06T15:36:02.267Z" }, "updateMode": "selective" } } thanks.
AS3 add another VS to existing tenant
I have deployed the sample AS3 script to create a VS with pool and pool members from here: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS1": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.11" ], "pool": "web_pool_1" }, "web_pool_1": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.10", "192.0.1.11" ] } ] } } } } } Now I want to add another VS to the same tenant (same partition) but when I edit the above script and deploy this: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS2": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.12" ], "pool": "web_pool_2" }, "web_pool_2": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.12", "192.0.1.13" ] } ] } } } } } It replaces the old configuration and I only have MyVS2. How can I add MyVS2 to the current configuration without losing MyVS1?DELETE method with AS3 is too powerful !
Am I the only one totally freaking out about the fact that with AS3, you just have to send a DELETE method to mgmt/shared/appsvcs/declare and everything is gone ?? All your production system could be wiped off that easily ... From my understanding it's mandatory to have the administrator privilege to use AS3, and administrators can access all the partitions ; so you cannot even create users that would be allowed to manage only specific partitions ... It's all or nothing. In my opinion the least you should do is to get rid of this dangerous default behavior, and instead use the keyword "ALL" to remove all tenants ... ========================== Extract from the doc : Use DELETE to remove configurations for one or more declared Tenants from the target ADC. If you do not specify any Tenants, DELETE removes all of them, which is to say, it removes the entire declared configuration. Indicate the target device and Tenants to remove by appending elements to the main AS3 URL path (/mgmt/shared/appsvcs/declare). By default (just main URL) DELETE removes all Tenants from target localhost. DELETE examples: DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare removes all tenants DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare/T1,T2,T5 removes Tenants T1, T2, and T5 leaving the rest of the most recent declared configuration for localhost in place ========================== Does anyone agree, or have a suggestion to add some security ?AS3 Shared Objects and Virtual Service Address Lists
Below is a declaration that will create a virtual service that has a host 1.1.1.50/32 as the allowed source host. How in AS3 do you create a shared object address list if that is possible, or if that is not possible how do reference an existing address list in the declaration so I can specify multiple source hosts rather than a subnet? { "class": "AS3", "action": "patch", "patchBody": [ { "op": "add", "path": "/{{tenant}}/testvip", "value": { "class": "Application", "template": "generic", "testvip_http_8080": { "class": "Service_HTTP", "snat": "auto", "virtualPort": 8080, "virtualAddresses": [ ["10.10.10.10", "1.1.1.50/32"] ], "iRules": [], "pool": "testvip_tcp_8080_pool", "persistenceMethods": [] }, "testvip_tcp_8080_pool": { "class": "Pool", "monitors": [ { "use": "testvip_http_8080_monitor" } ], "loadBalancingMode": "least-connections-member", "members": [ { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "2.2.2.2" ], "hostname": "server1" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "3.3.3.3" ], "hostname": "server2" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "4.4.4.4" ], "hostname": "server3" } ] }, "testvip_http_8080_monitor": { "class": "Monitor", "monitorType": "http", "send": "GET /keepalive.txt HTTP/1.0", "receive": "200" } } } ] }
An example of an AS3 Rest API call to create a GSLB configuration on BIG-IP.
Hi everyone, Below you can find an example of an AS3 Rest API call that creates a simple GSLB configuration on BIG-IP devices. The main purpose of this article is to share this configuration with others. Of course, on different sites (github, etc) you can find different bits of data, but I think this example will be useful, because it contains all the necessary information about how to create different GSLB objects at the same time, such as: Data Centers (DCs), Servers, Virtual Servers (VSs), Wide IPs, pools and more over. { "class": "AS3", "declaration": { "class": "ADC", "schemaVersion": "3.21.0", "id": "GSLB_test", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "DC1": { "class": "GSLB_Data_Center" }, "DC2": { "class": "GSLB_Data_Center" }, "device01": { "class": "GSLB_Server", "dataCenter": { "use": "DC1" }, "virtualServers": [ { "name": "/ocp/Shared/ingress_vs_1_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "device02": { "class": "GSLB_Server", "dataCenter": { "use": "DC2" }, "virtualServers": [ { "name": "/ocp2/Shared/ingress_vs_2_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "dns_listener": { "class": "Service_UDP", "virtualPort": 53, "virtualAddresses": [ "A.B.C.D" ], "profileUDP": { "use": "custom_udp" }, "profileDNS": { "use": "custom_dns" } }, "custom_dns": { "class": "DNS_Profile", "remark": "DNS Profile test", "parentProfile": { "bigip": "/Common/dns" } }, "custom_udp": { "class": "UDP_Profile", "datagramLoadBalancing": true }, "testpage_local": { "class": "GSLB_Domain", "domainName": "testpage.local", "resourceRecordType": "A", "pools": [ { "use": "testpage_pool" } ] }, "testpage_pool": { "class": "GSLB_Pool", "resourceRecordType": "A", "members": [ { "server": { "use": "/Common/Shared/device01" }, "virtualServer": "/ocp/Shared/ingress_vs_1_443" }, { "server": { "use": "/Common/Shared/device02" }, "virtualServer": "/ocp2/Shared/ingress_vs_2_443" } ] } } } } } P.S. The AS3 scheme guide was very helpful: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.htmlPatching additional TLS certificate to the existing virtual server
Hi, I am New to AS3. tried following json file to patch the new TLS certificate to the existing virtual server however its not working. can you let me know what is the correct procedure ? { "class":"AS3", "action":"patch", "patchBody":[ { "op":"add", "path":"/tenanat/Application/private-vip/front-cert", "value":{ "class":"TLS_Server", "certificates":[ { "certificate":"frontend-cert" } ], "ciphers":"DEFAULT", "frontend-cert":{ "class":"Certificate", "certificate":"-----BEGINCERTIFICATE-----fsdfsdfdshfd-----ENDCERTIFICATE-----\n", "privateKey":"-----BEGINPRIVATEKEY-----edfddsfdsfds-----ENDPRIVATEKEY-----\n" }, "private-vip":{ "layer4":"tcp", "class":"Service_HTTPS", "ServerTLS":"front-cert", "redirect80":false, "shareAddresses":true, "virtualAddresses":[ "192.168.1.x" ] } } } ] }Creating an iRule from external source using AS3
I am attempting to create a new iRule using AS3 by pointing to an external file and can't seem to get the declaration and/or rule correct. I am receiving the below error when trying as is. I have tried iterations of braces around each when clause and around the entire iRule, but can't seem to get the syntax right. Anyone have any luck with this? If not, how are you declaring complex iRules within your AS3 declaration without having to manually escape all the json special characters? Error: {"message":"Declaration failed: 01070151:3: Rule [/Common/Shared/log4j_mitigation] error: /Common/Shared/log4j_mitigation:1: error: [braces are required around the expression][when HTTP_REQUEST {\n # Version 2.0 - 2021-12-11 23:40 Eastern\n # - Handling nested URI encoding\n # - Improved matching\n # Version 1.0 - 2021-12-11 06:10 Eastern\n # - Initial release\n # less aggressive regexp for those concerned about false positives \\\"\\\\$\\\\{(\\\\$\\\\{env:[^:]+:-|\\\\$\\\\{[a-z]+:)\\?j\\\\}\\?(\\\\$\\\\{env:[^:]+:-|\\\\$\\\\{[a-z]+:)\\?n.+:.+\\\\}\\\" (remove quotes)\n # very aggressive regexp \\\"\\\\$\\\\{.+\\?\\\\}\\\" (remove quotes)\n # URI – based on 200004474\n set tmpUri [HTTP::uri -normalized]\n set uri [URI::decode $tmpUri]\n while { $uri ne $tmpUri } {\n set tmpUri $uri\n set uri [URI::decode $tmpUri]\n }\n if {[string tolower $uri] matches_regex {\\\\$\\\\{}} {\n log local0. \\\"log4j_rce_detection drop on URI: $uri\\\"\n drop\n event disable all\n return\n }\n set tmpReq [HTTP::request]\n set req [URI::decode $tmpReq]\n while { $req ne $tmpReq } {\n set tmpReq $req\n set req [URI::de","level":"error"} iRule: when HTTP_REQUEST { # Version 2.0 - 2021-12-11 23:40 Eastern # - Handling nested URI encoding # - Improved matching # Version 1.0 - 2021-12-11 06:10 Eastern # - Initial release # less aggressive regexp for those concerned about false positives "\$\{(\$\{env:[^:]+:-|\$\{[a-z]+:)?j\}?(\$\{env:[^:]+:-|\$\{[a-z]+:)?n.+:.+\}" (remove quotes) # very aggressive regexp "\$\{.+?\}" (remove quotes) # URI – based on 200004474 set tmpUri [HTTP::uri -normalized] set uri [URI::decode $tmpUri] while { $uri ne $tmpUri } { set tmpUri $uri set uri [URI::decode $tmpUri] } if {[string tolower $uri] matches_regex {\$\{}} { log local0. "log4j_rce_detection drop on URI: $uri" drop event disable all return } set tmpReq [HTTP::request] set req [URI::decode $tmpReq] while { $req ne $tmpReq } { set tmpReq $req set req [URI::decode $tmpReq] } # Header – looks for ${j…} or ${${…}} if {[string tolower $req] matches_regex {\$\{\s*(j|\$\{).+?\}}} { log local0. "log4j_rce_detection drop on header: $req" drop event disable all return } # Payload – looks for ${j…} or ${${…}} if {[HTTP::method] eq "POST"}{ # Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } # Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { set tmpPayload [HTTP::payload] set payload [URI::decode $tmpPayload] while { $payload ne $tmpPayload } { set tmpPayload $payload set payload [URI::decode $tmpPayload] } if {[string tolower $payload] matches_regex {\$\{\s*(j|\$\{).+?\}}} { log local0. "log4j_rce_detection drop on payload" drop event disable all } } AS3 json: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "molecule_192.168.121.79_1642700459", "label": "molecule_192.168.121.79_2022-01-20T17:40:59Z", "remark": "DTI f5 as3 declaration for molecule_192.168.121.79", "Common":{ "Shared": { "class": "Application", "log4j_mitigation": { "class": "iRule", "iRule": { "url": { "skipCertificateCheck": true, "url": "https://xxxxxxx/Bradley.Anderson/irules_test/-/raw/main/log4j_mitigation.irule" } } }, "template": "shared" }, "class": "Tenant" },"Molecule":{ "Molecule-API": { "class": "Application", "molecule_api": { "class": "Service_HTTP", "pool": "molecule_api_pool", "virtualAddresses": [ "192.168.100.101" ] }, "molecule_api_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.5", "10.0.1.6" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "Molecule-Web": { "class": "Application", "molecule_web": { "class": "Service_HTTP", "pool": "molecule_web_pool", "virtualAddresses": [ "192.168.100.100" ] }, "molecule_web_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.3", "10.0.1.4" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "class": "Tenant" },"Foo":{ "Foo-Web": { "class": "Application", "foo_web": { "class": "Service_HTTP", "pool": "foo_web_pool", "virtualAddresses": [ "192.168.100.102" ] }, "foo_web_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.7", "10.0.1.8" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "class": "Tenant" }} }