Let's Encrypt with Cloudflare DNS and F5 REST API
Hi all This is a followup on the now very old Let's Encrypt on a Big-IP article. It has served me, and others, well but is kind of locked to a specific environment and doesn't scale well. I have been going around it for some time but couldn't find the courage (aka time) to get started. However, due to some changes to my DNS provider (they were aquired and shut down) I finally took the plunges and moved my domains to a provider with an API and that gave me the opportunity to make a more nimble solution. To make things simple I chose Cloudflare as the community proliferation is enormous and it is easy to find examples and tools. I though think that choosing another provide with an open API isn't such a big deal. After playing around with different tools I realized that I didn't need them as it ended up being much easier to just use curl. So, if the other providers have just a somewhat close resemblance it shouldn't be such a big task converting the scripts to fit. There might be finer and more advanced solutions out there, but my goal was that I needed a solution that had as few dependencies as possible and if I could make that only Bash and Curl it would be perfect. And that is what I ended up with 😎 Just put 5 files in the same directory, adjust the config to your environment, and BAM you're good to go!!😻 And if you need to run it somewhere else just copy the directory over and continue like nothing was changed. That is what I call portability 😁 Find all the details here: Let's Encrypt with Cloudflare DNS and F5 REST API Please just drop me a line if you have any questions or feedback or find any bugs.F5 APM VPN Support For Microsoft O365 Split-Tunneling
We ran into a significant issue with remote VPN client performance when our Microsoft Office products moved to the O365 cloud offering. Our current limitation of "no split-tunneling" per corporate policy, prevented our users from establishing connectivity to their geographically preferable O365 cloud. Instead, their traffic could/would route back to the corporate F5 APM VPN BigIP and then out to the internet. Much longer path and real-time services such as Teams/Skype calls suffered greatly. Other vendors were also having issues with this such as ForcePoint (Websense) and McAfee. Those vendors released O365 specific patches to permit a better performance through various rules and methods. Our F5 APM VPN was the bottle-neck and we had to address this quickly. Approval was granted to permit ONLY O365 products to be split-tunneled. Luckily, Microsoft has fielded this question/requirement many times and they had a ready answer: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges Unfortunately, there's +500 IPv4 networks alone. Many are overlapping and some could be combined into a supernet. Not pretty, but workable. Using node.js, we developed a script that will pull-down the Microsoft IPv4 space, perform a CIDR clean on the networks, log into the F5 BigIP and push the Network Access exclude IP list, then apply the Access Policy in one shot. You can see the repo here: https://github.com/adamingle/f5O365SplitTunnelUpdateScript If you'd like to use the repo, please note the "settings.json" file. You will need to update according to the README.md Additionally, you will need to configure the allowable/tunneled traffic for the Network Access on VPN. If you only specify the exclusion space, there will be no inclusion space and no traffic will traverse the tunnel. Enable split-tunneling by checking the "Use split tunneling for traffic" radio button Add ALL networks to the "IPV4 LAN Address Space" with the IP Address 0.0.0.0 and Mask 0.0.0.0 Specify wildcard/asterisk for the "DNS Address Space" After you have the split-tunneling enabled on your Network Access Lists in F5 APM and you have correctly modified the "settings.json" file of your local f5O365SplitTunnelUpdateScript repo, you should be able to execute your O365 split-tunneling address exclusion changes. Use Jenkins or other automation tool to run the script automatically. Definitely worth a watch: https://channel9.msdn.com/Events/Ignite/2015/BRK3141 *This has been tested/used successfully with the Edge 7.1.7.1 client on v13.1.1
Cannot create iApps that run over http and https on same VIP
Gurus I have an app that runs over http and partly over https. Up until now I would create 2 VS on the same IP. One for http on 80 and one for https on 443 which works cause the port is different. It's unclear to me how this translates into the iApp concept. Logically there is only one app spread over 2 VS. The first problem is naming : * I can only create one iApp over either http or https, after that I have to pick another iApp name or else it complains that objects with this prefix already exists. *When I pick a different name, however, it still complains that : "01070333:3: Virtual Server /Common/vs1 illegally shares both address and vlan with Virtual Server /Common/vs2" This means I cannot use the iApp template at all. Both http and https have to listen on the same IP and allow the same VLAN. This works when you do it manually. This opens up an interesting question. What exactly distinguishes an "iApp" ? Is it per IP or per virtual server ? It looks like there is no concept of having the same app use 2 different VS. How can I tell the f5 how to distinguish my apps ? F.e. I have one setup where there is only one single VIP and all apps are separated only by URI. I have iRules that take care of that like : if { [HTTP::host] equals "/app1" } { pool app1 } elseif { [HTTP::host] equals "/app2" } { pool app2 and so forth. I assume there is no way to tell the LTM to make these into separate iApps right ? I was ok with switching back to having dedicated IPs per app but now I cannot even seem to do that. Am I out of luck ?
Deploy an application Service from an iApp template via tmsh
I've seen a couple of refernces to how to do this but nothing fully fledged out so here is my attempt to do so. The actual man page of the command can be viewed by issuing the following from within tmsh. help /sys application service First off Deploying an iApp from tmsh is not like deploying it from the gui. It is not interactive. So all of the questions that the template wizard will ask you need to be answered at once. The 'iApp' itself is actually a few different components which I won't go into great detail on because it's explained much better in other places. One of these components however is a script that is executed once you are done filling out the wizard and hit 'Finished.' The answers that you provided in the gui are passed to the script as variables and then the script executes. Deploying an iApp with tmsh essentially starts at this point. So in order to deploy an iApp you have to figure out the variables to pass and their values. The simplest way to do this is to deploy it through the gui and then view it via TMSH with the list command. list /sys application service testAppToDeploy.app/testAppToDeploy As you can see the app gets It’s own directory (testAppToDeploy.app/) and then you reference the name within it (testAppToDeploy) so I recomment using tab completion to discover the actual app name. The output should look something like this. sys application service testAppToDeploy.app/testAppToDeploy { description none device-group somegroup inherited-devicegroup true inherited-traffic-group true lists none metadata none partition Common strict-updates enabled tables { basic__snatpool_members { column-names none rows none } optimizations__hosts { column-names none rows none } server_pools__servers { column-names { port connection_limit addr } rows { { row { 80 0 10.1.1.1 } } { row { 80 0 10.1.1.2 } } } } } template f5.http template-modified no template-prerequisite-errors none traffic-group traffic-group-1 variables { basic__addr { value 192.168.200.9 } basic__create_redir { value Yes } basic__need_snatpool { value No } basic__redir_port { value 80 } basic__secure_port { value 443 } basic__snat { value No } basic__using_ntlm { value No } optimizations__lan_or_wan { value WAN } server_pools__create_new_monitor { value "Create New Monitor" } server_pools__create_new_pool { value "Create New Pool" } server_pools__lb_method_choice { value least-connections-member } server_pools__monitor_http_version { value "Version 1.0" } server_pools__monitor_interval { value 30 } server_pools__monitor_recv { value OK } server_pools__monitor_send { value "GET /" } server_pools__tcp_request_queuing_enable_question { value No } ssl_encryption_questions__cert { value /Common/CopyOfDefault.crt } ssl_encryption_questions__key { value /Common/CopyOfDefault.key } ssl_encryption_questions__offload_ssl { value Yes } } } The parts you need to pay the most attention to are variables, tables and lists. For this app we have only Tables and Variables so I'm going to take those sections and copy them somewhere else and modify the settings for my new deployment. you will also need to add the verb 'add' 'modify' or 'replace-all-with' before the first parenthesis. Also if you're pasting this into tmsh shell mode don't forget to remove all your newlines so that the comand becomes a single line. So for this example tables becomes tables add { basic__snatpool_members { column-names none rows none } optimizations__hosts { column-names none rows none } server_pools__servers { column-names { port connection_limit addr } rows { { row { 80 0 10.1.1.1 } } { row { 80 0 10.1.1.2 } } } } } Then just tack these modified sections on to the create command with any other options specified. In the end you should have something that looks roughly like this. create /sys application service aNewApplicationServiceName template f5.http description "This is my description" tables add { basic__snatpool_members { column-names none rows none } optimizations__hosts { column-names none rows none } server_pools__servers { column-names { port connection_limit addr } rows { { row { 80 0 10.1.1.1 } } { row { 80 0 10.1.1.2 } } } } } variables add { basic__addr { value 192.168.200.11 } basic__create_redir { value Yes } basic__need_snatpool { value No } basic__redir_port { value 80 } basic__secure_port { value 443 } basic__snat { value No } basic__using_ntlm { value No } optimizations__lan_or_wan { value WAN } server_pools__create_new_monitor { value "Create New Monitor" } server_pools__create_new_pool { value "Create New Pool" } server_pools__lb_method_choice { value least-connections-member } server_pools__monitor_http_version { value "Version 1.0" } server_pools__monitor_interval { value 30 } server_pools__monitor_recv { value OK } server_pools__monitor_send { value "GET /" } server_pools__tcp_request_queuing_enable_question { value No } ssl_encryption_questions__cert { value /Common/CopyOfDefault.crt } ssl_encryption_questions__key { value /Common/CopyOfDefault.key } ssl_encryption_questions__offload_ssl { value Yes } } Hopefully this helps. Please let me know of any innacuracies or typos. -Aaron
AS3 server node declaration
Hi all, I'm experimenting with AS3 declarations for configuring LTM services on BIG-IP nodes and can't seem to find a way to directly define static server nodes (create ltm node ..) - the only way they get created is by configuring pool with static members. Any ideas on what is the rationalle behind it? thanks, VytautasAdd/Remove ServerSSL profile on a Virtual Server using SDK
Hi, I am trying to add/remove ServerSSL profile to a Virtual Server using F5 SDK. I have the following script that will read the current profiles from the Virtual Server but I don't get my head around how to use .update() to delete a "serverSSL" profile if exist from f5.bigip import ManagementRoot import getpass, sys # Variable Section BigIP = "172.31.129.70" BigIP_username = "mshoaib" vip_name = 'www.example.com-https' BigIP_password = getpass.getpass(prompt='Enter password: ', stream=None) # Connect to BigIP f5_mgmt = ManagementRoot(BigIP, BigIP_username, BigIP_password) # Load VIP first vip_info = f5_mgmt.tm.ltm.virtuals.virtual.load(name=vip_name, partition='Common') # Read all profiles pf_info = vip_info.profiles_s.get_collection() pf_list_before = [] print("Profiles before deletion:") for a, pf in enumerate(pf_info): print(a,pf.name) pf_list_before.append(pf.name) print(pf_list_before) pf_list_after = [] print("--------") for index, pf in enumerate(pf_info): if pf.name == 'serverssl': print(" Removing Server SSL") pf_info.pop(index) print("Profiles after deletion: ") for a, pf in enumerate(pf_info): print(a,pf.name) pf_list_after.append(pf.name) print(pf_list_after) Out put is : [mshoaib@ca01net03 new_domain]$ python3.6 update-profiles.py Enter password: Profiles before deletion: 0 http_XForwardedFor 1 oneconnect 2 serverssl 3 tcp-lan-optimized 4 tcp-wan-optimized 5 wildcard.example.com-ssl ['http_XForwardedFor', 'oneconnect', 'serverssl', 'tcp-lan-optimized', 'tcp-wan-optimized', 'wildcard.example.com-ssl'] -------- Removing Server SSL Profiles after deletion: 0 http_XForwardedFor 1 oneconnect 2 tcp-lan-optimized 3 tcp-wan-optimized 4 wildcard.example.com-ssl ['http_XForwardedFor', 'oneconnect', 'tcp-lan-optimized', 'tcp-wan-optimized', 'wildcard.example.com-ssl'] [mshoaib@ca01net03 new_domain]$ Equivalent TMSH CLI are : tmsh modify ltm virtual www.example.com-https profiles add { serverssl } tmsh modify ltm virtual www.example.com-https profiles delete { serverssl } I appreciate any code snippet or link. Thanks, Muhammad
Ansible bigip_command module error message
I'm trying to run a simple playbook to create a link in bash: --- - name: Issue a command on the F5 devices hosts: all connection: local environment: F5_SERVER: '{{ ansible_host | default(inventory_hostname) }}' gather_facts: false tasks: - name: Issue the command below bigip_command: commands: - 'ln -sf /dev/sr0 /dev/cdrom' However when I run this playbook, I'm getting an encoding error in AWX: { "msg": "'latin-1' codec can't encode characters in position 1-2: ordinal not in range(256)", "exception": " I'm wondering if the playbook is trying to run the command in TMOS rather than bash. Googling for that error returns a lot of Stack Overflow posts re: Python and needing to convert or define the script with UTF-8.
Ansible Module for bash against F5 LTM
Hi folks, I'm trying to find an Ansible module that will actually work for bash against F5 LTMs. I've tried command, shell, and ansible.builtin.shell with no luck. Alternatively an Ansible module that could execute a shell script already on the F5 LTMs would work as well. Here are a couple examples of the bash commands I'm trying to execute: tmsh save sys ucs lb1.ucs scp /var/local/ucs/lb1.ucs admin@192.168.0.1:/var/local/ucs/ tmsh load sys ucs base.ucs sleep 120 tmsh load sys ucs platform-migrate lb1.ucs sleep 120 tmsh modify cm traffic-group traffic-group-1 ha-order none tmsh modify cm device-group Employee_Sync_Failover devices none tmsh delete cm trust-domain all tmsh modify cm device lb1.fb configsync-ip none unicast-address none mirror-ip any6 tmsh delete net route all tmsh delete net self all tmsh delete net vlan all tmsh modify sys global-settings mgmt-dhcp enabled tmsh save sys ucs USE2-LBEMPL01A.ucs cd /opt/aws/awscli-2.2.29/bin/dist ./aws s3 cp /var/local/ucs/lb2.ucs s3://f5-bubble-sync-fb5095-us-east-2/lb2/lb2.ucs
