Connecting a AWS Cloudfront Distribution Pool/Node to an F5 iApp
Hi there, I was wondering if I could get some advice on connecting up AWS Cloudfront Distribution Pool/Node to an F5 iApp. The iApp in question has a default pool of on premises servers but we have a requirement in that for a specific URL path then we instead forward onto a AWS Cloudfront distribution. The below is a snippet from the irule we currently have configured: when CLIENT_ACCEPTED { SSL::disable serverside } when HTTP_REQUEST { if {([HTTP::uri] starts_with "/falc/")} { SSL::enable serverside HTTP::header replace Host "d2s8lx2sdbghef.cloudfront.net" pool d2s8lx2sdbghef.cloudfront.net } } The pool and the FQDN node are showing green which means F5 can resolve the addresses. However when we attempt to go to a URL which starts with the prefix above instead of being direct to the Cloudfront distribution (and the S3 content behind) we instead get the following: Check and the distribution has redirect HTTP to HTTPS configured on the behaviour and we are attempting to replace the Host with the matching distribution. I was wondering if this has been encountered by anyone before, if anyone has attempted anything similar and if able to get it working how that was achieved. Thank you in advance of any assistance that may provide.
About Vulnerability Countermeasures
Thank you for your assistance. I would like to know if the following product is effective as a vulnerability countermeasure. Product name: F5 Rules for AWS WAF Common Vulnerabilities and Exposures Target vulnerability: CVE-2021-26691 CVE-2021-26690 CVE-2020-35452 We apologize for the inconvenience, but we would appreciate it if you could check on this issue as soon as possible. Thank you in advance for your cooperation.F5 API Security on AWS WAF
Hello community, We have deployed multiple APIs on EKS and have exposed them using an application load balancer. I have added AWS WAF on top of the ALB. I am using XML payload in the API and for XML security, I have enabled F5 API Security managed rule for WAF. My question is: Does F5 managed rule for API Security on AWS WAF provides XML validation? If yes, what rule is that inside the managed rule set? Can we configure the F5 managed rule to check my XML payload based on regex? How can I configure it? Thanks in advance! Avinash
Passive FTP using FTP profile
Hi Community, I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for passive ftp. This scenario is running perfectly without an FTP profile, just a tcp profile (all ports) and the option pasv_address on the ftp server pointing to the public IP address of the F5. But I need to have this working with the FTP profile in order to implement extra security for FTP on the F5. I've tried to implement FTP passive load balancing using official documentations like (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/load-balancing-passive-mode-ftp-traffic.html ) , but no matter what combination or configuration is implemented on the F5 & the ftp server, if I have the ftp profile the message ("passive mode refused") is always received after request PASV and only works if I use this for internal passive ftp, meaning that I not configure a "pasv_address" on the ftp server, and the client that request the connection is in the same Lan than the F5 & ftp server, resolving everything internally. As a said, i've tried a lot of combinations and settings on the F5 and ftp servers, but nothing works. Could someone give me a little of guidance here? Thanks in advance.Wildcard virtual server F5 on AWS
Hello everyone, I'm trying to configure a Wildcard forwarding virtual server on AWS (0.0.0.0:0) in order to communicate a bunch of clients with different destinations. For example, i need clients with the next ip addresses 10.2.2.0/24 and 10.2.3.0/24 being able to communicate with some services with different IP's and ports (10.55.55.23:14502, 10.55.55.76:14502, 10.55.56.27:14501) Its a 2-NIC deployment (1 NIC for management and 1 NIC for Traffic). In the traffic NIC i only have configured the self IP (No secondary IP addresses assigned on this AWS interface) I already disabled source/destination check on the F5 instance. After some tests i cant see any data from clients reaching the big ip. Do i need to assign a secondary IP address in the traffic NIC so the big ip can use this IP to capture the traffic ? Is there something else i'm missing in my configuration? Every suggestion is welcome. Thanks in advance guys!
Setting BIG-IP LTM Virtual Server for two SQL Servers nodes
I've created BIG-IP Virtual Edition instance in Amazon EC2 using this tutorial. I've followed this tutorial to configure BIG-IP System as an MS SQL Database Proxy. There were couple things that I didn't get in "Creating a database proxy virtual server" section: For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network. In the Service Port field, type 1443. Which IP address should I use in destination field? Public IP, which I use to connect to BIG-IP WEB UI? Why it says set service port to 1443, not 1433, which is default to SQL Server? For now I set public IP and 1443 port and tried to verify connection using UDL file I have two DB nodes and when trying to verify connection directly to their IP addresses - connection succeeds. But when I try BIG-IP public IP - connection fails with the following error message: Test connection failed because of an error in initializing provider. [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied. Both nodes are enabled and available in LTM (Local Traffic Manager). Any ideas what I'm doing wrong?
FQDN node regression 11.6.0-HF5 ?
I'm using FQDN nodes in my AWS F5 VEs After upgrading to 11.6.0-HF5 the FQDN resolution/instantiation doesn't work any more. The ephemeral nodes are not created, and the availability of the node remains " Unknown (Enabled) - Querying DNS resolver is enabled, but result is not available yet " Of course the DNS resolution is working (I can 'dig' any hostname from ssh) Here is my test case: tmsh create ltm node my_test_google_fqdn fqdn { autopopulate enabled down-interval 2 interval 15 name google.com } In 11.6.0-HF4 it works as expected, and generates this nodes: In 11.6.0-HF5 it generates this list: Do you know something that changed in HF5 ? Maybe in HF5 there is some configuration missing that was previously optional. Thanks for any pointers. Angelo.
