Problem with lets encrypt and redirect after update
Hi, we have updated our BigIP last week from 15.x to 17.1.1.4, since then we are not able to get certificates from lets encrypt, if there is the _sys_https_redirect iRule active on the Virtual Server. As an example, i have for the IP 1.2.3.4 (asdf123.info) two VS with port 80 and 443, on port 80 are two iRules mapped: lets_encrypt: when HTTP_REQUEST { if {[HTTP::has_responded]} {return} if { not ([HTTP::path] starts_with "/.well-known/acme-challenge/") } { return } set token [lindex [split [HTTP::path] "/"] end] set response [class match -value -- $token equals acme_responses] if { "$response" == "" } { log local0. "Responding with 404 to ACME challenge $token" HTTP::respond 404 content "Challenge-response token not found." } else { log local0. "Responding to ACME challenge $token with response $response" HTTP::respond 200 content "$response" "Content-Type" "text/plain; charset=utf-8" } } and _sys_https_redirect: # Copyright 2003-2006, 2012-2013, 2016, 2019. F5 Networks, Inc. See End User License Agreement ("EULA") # for license terms. Notwithstanding anything to the contrary in the EULA, # Licensee may copy and modify this software product for its internal business # purposes. Further, Licensee may upload, publish and distribute the modified # version of the software product on devcentral.f5.com. # when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } definition-signature tJY87UPbfpgQ3TPXqXhbCAgqIJhR1MvyFxXLTX/wNqmH+XV51tNkr8HWmv4PBq8hm6w7peLKj88shG+0RiX+yAMU31n6jS9vRcg0VKNPBWLTzu3Ic8abqyyY6XYgkMel+d9Sa8x+vakcuPcAZ0dnICHQiQFePjxYUD0XKwIrbGqQb8vEcU3HHbDaLoMQry4KDnV3s1crFpWXBZBo6esIdzM/s0jYncqZBNdTmIEH3ujEunmo2Jh9MBDhwfGKy1XwCfeeZvzk8b1J+HbRk7W/vbrRUewJZDt+Z13i9u/MbneAL4QXZgtjSxU2nN4GcZjWePUIm7oxc1nz9FGeNva1xg== This configuration had worked for years now, but since the update to 17.1.1.4 we get a "connection reset by peer" at requests for http://asdf123.info/.well-known/acme-challenge/30IpwjJqyA7LKANXCvu7gyN9txfYQOqzllBNC3ROPnY if i remove the _sys_https_redirect iRule, it works fine. Has anyone an solution for this problem?
High availability Blade
Hello everyone, I would like to know if is possible to configuire high availability on two Blade BX110. At the moment I have only one blade where there are all Tenants and, the capacity of using it, is 85% . The customer want to buy another Blade but, it wants that for every Velos, te two blades build a unique partition. Is it possible to do it by considering that in one blade there are all Tenants in a production environment ? Which type of impact there will be ? To sum up could i configure both blade in high availability with no run the risk to block the services of the Tenants ? I have read that is possible to make a setup of the blades but is not mentioned that this activity could provide, if on the one are presents Tenants, to reset the configuration. Many thanks in advanced for your help. Awaiting your news,
How to log HTTP/2 reset_stream
Hello, We are currently in a meeting to prepare for HTTP/2 DDoS attacks. What we would like to do is log the client’s IP address (either local or remote) whenever an HTTP/2 RESET_STREAM is received. Is there any way to achieve this? Would it be possible to implement using an iRule? Thank you.Identify which virtual servers are using a specific SSL certificate
We use a wildcard SSL certificate for our QA sites. There are many of them. I am renewing the SSL cert but have no idea which Virtuals are using it. Is there an easy way to determine this other than checking each and every virtual, listing the Client-ssl profile and then looking up the profile to see what certificate is being used?Users account sessions mixed up..
Hi < I have been asked to look into a very strange issue. And not sure from where to start. I dont think it is happening due to Big IP. But could someone please provide a insight. Only persistence cookie is sent by big ip. Session and auth cookie is sent by back end servers. Although Big IP just add 'secure' parameter into all those cookies. Summary of the issue is below. We need your help on this critical matter. A user has reported that for some reason, her sessions got mixed up. That is, she logged under Username JFSM first and went to My Billing page to perform a function. Then she logged as JSMIREZ and was going to the My Billing Page for the new account. Instead, of getting to right page, she was directed to the previous log-in’s Account Summary page. Now, she confirmed she was only using one browser session. Is there any chance that sessions can get mixed up from the big ip for the same browser? That is, somehow a prior page request can be re-sent to the current session? I know am grasping at straws here but I am not sure what are the possibilities. I do have to note that the way the site has been working is that when I open up a browser and log-in to a User Account, let’s call Account A. Then on the same browser, I open up a new window and try to log-in as Account B; I would still get the information for Account A. The reason being, that this is considered as the same session/browser and considers Account A as still active for this session and not Account B even if the requests were made from different windows/tabs. One thing for sure though, if there are multiple users hitting the servers from different browsers, is there any chance at all where their requests can get mixed up? That is, you can have Users A, B, and C all hitting the website at the same time. And each of them are using separate browsers from different ip addresses. Is there any chance that the load balancer would ever mix up their sessions where User A’s page requests will be returned to User C and User C’s requests are returned to User B enabling them to see someone else’s account?F5 upgrades
We are upgrading F5 tenants from 17.1 to 17.5. We have Two R-series pairs at each data center ( ex:main and colo) Within the data center, they are in HA active standby and the 4 are in a GSLB group . Each host has one tenant During the upgrade process, I disabled GTM Sync on the F5 that is going to be upgraded. Is it recommended? I plan on having traffic moved to this active box at ex colo from the other data center main, I won't be making any config changes . After the applications move to this side, LTM pools show up on this side and global availability will have the upgraded side up. just want to make sure, if that is disabled, do we need to leave them disabled and sync them after all the 4 F5s are upgraded? during this process, can we make changes with the data center on LTM pools? Thank you
