APM :: Portal Access Lists :: SNI & HTTP
I'm trying to create a Portal Access List with a few web resources, and one of the links does not work because it is an Apache server that is validating that the SNI and HTTP hostname match. The problem is, that when the user logs into APM and launches the web link, they are launching a request to the APM and not the backend server... therefore the SNI is for APM and does not match the HTTP hostname in the header (which is specified in the Portal Access link via Application URI). [ssl:error] [pid 11111] AH02032: Hostname xxx.yyy.com provided via SNI and hostname aaa.bbb.com provided via HTTP are different From what I've read, this cannot be disabled on the Apache server without removing SNI and recompiling... which is not an option for me. However this F5 use-case seems like it would be fairly common, so I'm not sure what I'm missing here. Anybody have any thoughts? Thanks-
Apache origin and header conversion to iRules
I need to take this an Irule f5 can you help me with this please <IfModule mod_headers.c> Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure SetEnvIf Origin "^http(s)?://(.+\.)?tgr\.cl$" AccessControlAllowOrigin=$0 Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header set Access-Control-Allow-Credentials "true" </IfModule>
Need Help with Case Insensitive iRule for Apache Migration
Hi All, I have been helping on migrating our Apache environments into our F5 and everything has been working well, until we noticed that case insensitivity is not working. Here is the issue I am running into: If I go to www.website.com/test it works just fine. If I go to www.website.com/TEST, it does not work at all. I have the rewrite profile in place and the following iRule as well: when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { not ( [HTTP::path] ends_with "/") && not ( [URI::basename [HTTP::uri]] contains "." ) } { # Append slash and keep querystring when it exists HTTP::uri [HTTP::path]/[expr { "[URI::query [HTTP::uri]]" eq {} ? {} : "?[URI::query [HTTP::uri]]" }] } if { [string tolower [HTTP::uri]] starts_with "/apps" } { pool ProxyPass_DEV_pool_2 } else { pool ProxyPass_DEV_pool_1 } } I figured line 2 "set uri [string tolower [HTTP::uri]]" would have fixed this but no dice. Any help would be greatly appreciated. Thanks!Apache to F5 Configuration
Hi everyone, We are having trouble with our F5 Configuration.Here is the scenario: We are using Mobile application (from playstore) to access the server. It uses standard VS with port 443 and performing SSL offloading. Configuration is based from the Apache Server which is currently on production and no error. Single server is used to access using Web and Mobile Application, only uses different ports.Here is the config: ProxyPass /fo connectiontimeout=60 timeout=600 ProxyPassReverse / timeout=600 ProxyPass /mob connectiontimeout=60 timeout=600 ProxyPassReverse /mob timeout=600 Looking at the firewall, no other port being used by the client when accessing using application. we captured some pcap, based on it, F5 can receive the traffic and can exchange SSL. However, we cannot see that F5 is sending the traffic to the server.It seems that there is configuration error with the virtual server. We tried changing the type to Performance L4 but SSL-offloading is removed. we also changed the protocol to All protocol, but still, SSL-offloading is removed. Is there a way to have All protocol type of VS but with SSL-offloading? If this can be done via irule. If not, does anyone experienced the same problem (using mobile application passing thru F5). Thank you all for the response.
health monitor IIS
Hello, I was wondering if someone can shed some light on a health monitor I am trying to setup. Ill give a brief overview of the setup. We have an application that gets proxied via apache ( apache are the nodes in the pool being monitored, acts as proxy nothing more) to IIS where the application actually lives. I am trying to setup a monitor so that it monitors say an index.html page on the IIS server something along the lines of Send string - http://Portal/dir/index.html receive string - IIS is up Tried to use this but nodes fail the health check when applying the monitor to the pool The service ports that its monitoring for are https Any help is greatly appreciated ThanksUploading Apache certificate chain
Trying to implement smart card auth for the big-ip configuration utility, but unable to upload the cert chain via the ui or cli. Receive the following error: Values (/parition/name) specified for Certificate Bundle Entity (/partition......) foreign key index (certificate_file_object_FK) do not point to an item that exists in the database. I've seen references to this error and a bug in 11.5, however this is 12.1.2 and also having the problem with 13.0 I've uploaded the bundle elsewhere and it's fine. Does anybody know if the bug is still outstanding or any work arounds? Appreciated.Migrate IIS ASM policy to Apache
Hello! If a you have a established IIS ASM policy, but your company moves to Apache Servers. At a high level, does anyone have any tips for merging the two policies. I have read this entire article here; https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/40.html And at a high level, it seems that the steps are: 1) Create a new policy with the same distinctions but add Apache signature set. (Keep differentiate HTTP/HTTPS URI's and Encoding options the same) 2) update all signatures on both ASM systems (if moving to a different ASM) 3) Use the policy diff feature and manually carry over the attributes. Thanks!
Optimal timeout and interval settings for Apache health monitor
We have a farm of Apache 2.2 webservers being load balanced by a F5. Currently timeout is set to 30 seconds -believe it's the default value-. Based on this configuration; if a specific webserver has an outage it could take up to 30 seconds for the F5 to identify the server is not available and stop sending requests to that pool member. During that interval end users sent to that web server will received an error. Are there recommended configurations to define for timeout and interval in the health monitor to avoid downtime in a highly available environment? Appreciate any feedback. regards,OpenSSL vulnerability and Apache Commons FileUpload vulnerability CVE-2014-0050
Hi, I'm big-ip version 11.5.1 HF2 and my BIG-IP iHealth station featuring some vulnerabilities and am not getting correct. 1 - Configuration utility / Apache Commons FileUpload vulnerability CVE-2014-0050 how to make safe configuration utility, this article did not help me much: SOL15189 2 - COMPAT SSL ciphers / OpenSSL vulnerability CVE-2013-6449 This article also did not help me much to fix these vulnerabilities: sol15147 Anyone know how to fix?