ACCESS::disable with policy "OAuth-Resource Server" ?
Hello, Anyone knows how if equivalent of "ACCESS::disable" is possible on "OAuth-Resource Server" apm policy? At the end I want to allow pre-flight CORS calls to bypass the apm. I tried this irule but seems to not be working with F5 as "oauth RS", I still get response"HTTP/1.1 400 Bad Request" because of auth failed. Thanks Alexandre. when HTTP_REQUEST { if {([HTTP::method] eq "OPTIONS") && [HTTP::header exists "Access-Control-Request-Method"] && [HTTP::header exists "Access-Control-Request-Headers"] && [HTTP::header exists "Origin"] && [HTTP::header Origin] ends_with "XXXXXXXXXXX" } { #log local0. "Disable apm - [HTTP::method] - [HTTP::host][HTTP::uri]" ACCESS::disable } }
How to bypass default two way SSL authentification on a specific URI pattern on a same virtual server, ie. same client ssl profile
I have one virtual server which use a client SSL profile which require two way SSL authentification. By default, a client certificate X509 is required for any URI requested. I'am looking for a way (with IRule) to bypass client authentication (by stay in one way SSL server authentification) for some specific URIs. Who xan help me ? LTM/ASM v11.2
Confused of link the external links in a webapplication
Hello, im at a client that has published a webapplication. This webapplication has three links (that goes to different webshop with logins Im a bit confused about the behavior. First none of the links worked, the customer had this error. "Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please." Then they links to a bypass list, but still got errors. Before we did not have a serverssl profle on the virtualprofile for the protal, but we when they added the serverssl profile Serverssl-insucure-compatible. It worked better. There is one link that does the authentication in the link (like this), i know its no good. https://www.webshop.com/cgi-bin/sfti/webshop_login.cgi?USERNAME=orange&PASSWORD=apple&HOOK_URL=[er The apm dont seem to send the link. But still. I cant really understand why it did not work when i had no serverssl profle? And it started to work when i added it? If i have the links in bypass they should just open as normal in the webrowser.
Selective Pass-through
Hello, I need to inject data into some webpages using an iRule. The backend-server sends HTTP data chunked and compressed (gzip). However, only some pages need to be injected into. Those can be identified by an HTTP-Header (and only this way). I also need all outgoing traffic to be chunked and compressed and with working keep-alive connections. I got this working by setting Response Chunking and Compression to Selective and perform the injection itself in an iRule using STREAM::expression . The problem however is that all data is being decompressed (and in turn rechunked) by the f5, as soon as the compression module is not set to Disabled . This induces an unnecessarily high load on the f5, which I'd like to avoid. What I want is to identify the header in the response from the backend-server, if found inject, rechunk and recompress; otherwise completely pass-through all HTTP data without processing anything. Setting the compression module to Disabled seems to be unfeasible, since I can't perform an injection anymore. Using COMPRESS::disable disables compression, not the compression module, thus decompressing everything from the server and sending it uncompressed to the client. After fiddling around a bit, it seems that compression can be disabled implicitly by disabling HTTP processing ( HTTP::disable ). But this seems to be incompatible with keep-alive connections (because the next request on the same connection isn't recognized). And now I ran out of ideas and ask here: is there any way to archive a selective pass-through, depending on a header sent by the backend-server? I am using BIG-IP 10.2.4 Build 577.0 Final. We are thinking about switching to 11 in the mid-term, but a solution for 10 would be nice. Thanks, Christian
