APM inactivity timeout redirect or notification page for LTM + APM connections
Background on this: Have a customer that is publishing a Microsoft CRM instance behind APM and doing KCD with smart card auth. Access policy works fine, KCD works fine, web app works fine. The only problem we have is the inactivity timeout setting. Once the limit has been reached, the session is removed and content is no longer sent to the user in a very abrupt fashion. This is a problem because ALOT of the page is cached on the clients workstation and all they see is broken JPEGs and incomplete web content. Once they click around they are re authenticated but it is not pretty. I want to find a way to notify the user they have been inactive for a certain amount of time, send a HTTP 200 response with content notifying them with a link to click on to re authenticate. The option of increasing the inactive timeout is not an option due to their access session license limit. There would be alot of abandoned sessions that would aggregate potentially going over this limit. I know with webtop and ssl vpn, you get a notification that you are about to be logged out due to inactivity but this doesn't seem to be available for LTM + APM policies. This is what I have so far, there has to be a more efficient way of doing this though. when ACCESS_SESSION_STARTED { set ::EXPIRE "false" } when ACCESS_SESSION_CLOSED { log local0. "Session has been closed" set ::EXPIRE "true" } when HTTP_RESPONSE { if {$::EXPIRE equals "true"} { HTTP::respond 200 content " You've Been Logged out due to inactivity You have been logged out due to inactivity Thanks for Using the application Click to log back in. " } }
Session size garbage after an AD query, can I remove them?
Hello community, I'm using our BigIP as an IDP and we have about 20 federations to date. They all share the same VP and iRule. One of the federations need to know, if somebody logs in and they are a manager, how many employees do they have. I have found that this generatea lot of session variables, and I worry that I will exhaust the cache. So I wonder if there is any way to discard these session variables or mark them as garbage orsomething, because while it might be okay with these leftovers for managers with five employees, it's not okay for managers with five hundred! I'm curious if there is any way to discard these variables to exclude from the session? This is what I do: I use the following LDAP filter to get all enabled users that has them in the manager attribute: (&(manager=CN=%{session.logon.last.username},OU=Users,OU=Organization,DC=Corp,DC=net)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) The filter works fine. To not make the query too expensive, I tried limiting the query to only the "c" attribute (country), which contains two letters only. However, dn is included and I can't change that, so I removed the "c" attribute. This generates session output like this: 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn CN=Tobias Anderson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.1 CN=Philippe Hudson,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.2 CN=Jonas Gabriel,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.3 CN=Ted Miles,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.4 CN=Lars Hedin,OU=Users,OU=Organization,DC=Corp,DC=net 9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.5 CN=Tomas Jeffrey,OU=Users,OU=Organization,DC=Corp,DC=net ... Now, I only care about how many employees they have, not who they are. As it stands now, we'll be populating a custom attribute in AD with this information instead, but I'm curious because we might end up with similar applications in the near future that may produce unwanted variables. Surely there must be some garbage collection functions or unset functions to tidy up our sessions? How would you guys implement this? Any ideas?
BIG-IP : deleted data-group/file contents are re-appearing in re-created data-group/file of same name
f5 BIG-IP LTM VE v11.4.0 on ESXi Does BIG-IP somewhere retain contents of deleted data-files - perhaps in a hidden cache file or a database ? Consider the following sequence : Via BIG-IP browser admin , I delete a data-group and then its related data-file. When I peruse BIG-IP's data dirs, the corresponding data-file is no longer present : /config/filestore/files_d/Common_d/data_group_d/:Common:test_data_file_57958_1 This is as expected. Also not present are any other data-files with names of the form : /:Common:test_data_file_* This is also as expected. Next via the iControl API I create a brand new data-group/file of same name test_data_file Via browser admin, I open the newly created data-file, and I'm very surprised to see remnants of the previous deleted data-file’s data ( at the top of the file ), along with some, but not all, of the data I supplied in the new external data-file ( the one that was pointed to with the Browse button during the Create sequence ). This is completely unexpected. Really weird. Somehow BIG-IP is remembering the contents of a deleted data-file and then co-mingling that data with the new data supplied for a new data-file of same name.BIG-IP : iControl LocalLBDataGroupFile.set_local_path()
F5 BIG-IP LTM VE v11.4.0 on ESXi iControl re-cache data-group operation : LocalLBDataGroupFile.set_local_path() For a live prod BIG-IP cluster with a VIP iRule that is actively reading data from the data-group , is the above considered a risky operation ? e.g. attempt live-swap of data-group's data-file, fails due to locks or other systems-level issues, data-group now unavailable to iRule I've attempted live-update of a data-file's contents via BIG-IP browser admin ( copy/paste new contents and click “Update” ) and seen the corresponding data-group become unavailable to the iRule. The paranoid approach is to create a new data-group/file and a copy of the iRule modified to point to this new data-group , and then in the VIP’s iRule list swap old/new iRules – so that never actually update a “live” data-group. So now I am concerned about performing similar operation via iControl LocalLBDataGroupFile.set_local_path() –- although apparently this API is not actually live-updating a cached data-file but rather re-pointing data-group to a new cached data-file ?RAM Cache and POST Requests
Is it possible to store responses to POST requests in RAM Cache using the URI and body as keys? Let's say I have a resource /deals that consumes a json body containing details of a product and returns the available deals for such product. This request doesn't modify any data in my backend. Should I use an IRule to do this? Thanks in advance!F5-RAMcache cache only when the cache headers is present
Hello, I trying to configure the F5 devices to enable cache only when the cache headers is present and caching the time specified in the headers. After done some test I can see the objects without cache headers in the backend are cached with randomly time-to-be-cached (I'm sure is not random but I don't know the algorithm applied) Do anybody how to configure RAMCache to only cache the object when the cache headers is present? In all my tests the field Ignore Headers is set to "none" I like share my lab and test, all of them test in 8950 with 10.2.4 version. http profile applied profile http STATIC-HTTP { defaults from http ... ramcache enable ramcache size 512mb ramcache max entries 10000 ramcache min object size 512 ramcache max object size 102400 ramcache ignore client cache control all ramcache aging rate 9 ramcache insert age header enable ramcache uri exclude "/someobject.gif" ramcache uri include none ramcache uri pinned none ... } F5 runtime memory - tmsh show /ltm profile ramcache STATIC-HTTP .... Host: www.domain.com URI : /file.html -------------------------------------- Source Slot/TMM 0/7 Owner Slot/TMM 0/0 Rank 1 Size (bytes) 274 Hits 0 Received 2015-07-15 06:11:04 Last Sent 2015-07-15 06:11:04 Expires 2015-07-15 06:39:24 Vary Type none Vary Count 1 Vary User Agent none Vary Encoding none Total records returned: 2 Request to F5 - 2 requests, the second one with the origin content changed osmc@osmc:~$ curl --user-agent t7 -H"Host: www.domain.com http://1.2.3.4/file.html -IXGET HTTP/1.1 200 OK Date: Wed, 15 Jul 2015 06:11:04 GMT Server: Apache Last-Modified: Wed, 15 Jul 2015 05:56:54 GMT ETag: "b-51ae39f32c30d" Accept-Ranges: bytes Content-Length: 11 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html osmc@osmc:~$ curl --user-agent t7 -H"Host: www.domain.com http://1.2.3.4/file.html -IXGET HTTP/1.1 200 OK Server: Apache Last-Modified: Wed, 15 Jul 2015 05:56:54 GMT ETag: "b-51ae39f32c30d" Accept-Ranges: bytes Keep-Alive: timeout=5, max=100 Content-Type: text/html Connection: Keep-Alive Date: Wed, 15 Jul 2015 06:11:48 GMT Age: 44 Content-Length: 11 Requests to backend : 2 GETs with apache in foreground and changing the content requested curl -IXGET -H"Host: www.domain.com" http://apacheX/file.html HTTP/1.1 200 OK Date: Wed, 15 Jul 2015 06:11:21 GMT Server: Apache Last-Modified: Wed, 15 Jul 2015 05:56:54 GMT ETag: "b-51ae39f32c30d" Accept-Ranges: bytes Content-Length: 11 Content-Type: text/html 1.2.3.4 vhostX - [15/Jul/2015:08:11:37 +0200] "GET /file.html HTTP/1.1" 200 11 "-" "curl/7.19.5 (ostype) libcurl/7.19.5 OpenSSL/0.9.7d zlib/1.2.3" www.domain.com "-" "-" 1486 date +%s > file.html && cat file.html 1436940694 curl -IXGET -H"Host: www.domain.com" http://apacheX/file.html HTTP/1.1 200 OK Date: Wed, 15 Jul 2015 06:11:37 GMT Server: Apache Last-Modified: Wed, 15 Jul 2015 06:11:34 GMT ETag: "b-51ae3d3a72c54" Accept-Ranges: bytes Content-Length: 11 Content-Type: text/html 1.2.3.4 vhostX - [15/Jul/2015:08:11:37 +0200] "GET /file.html HTTP/1.1" 200 11 "-" "curl/7.19.5 (ostype) libcurl/7.19.5 OpenSSL/0.9.7d zlib/1.2.3" www.domain.com "-" "-" 1486
Bypass caching when a cookie matching a pattern is present
We have created an iRule which should disable caching for any request containing a cookie matching a pattern (starting with SESS). It seems like all the rules we have tried have no effect. When caching is enabled for the pool, requests are always cached. Here is the latest rule we have: when HTTP_REQUEST { set c_cookies [HTTP::cookie names] if {[lsearch -regexp $c_cookies "SESS*"]} { CACHE::disable } } Any ideas on why this wouldn't be working? Also, I'm curious if F5's respect the HTTP Cache-Control max-age header.
F5 LTM appears to be overwriting the cache-control response headers
BIG-IP LTM v15.1.4 When accessing our website through the F5 (VIP), the cache-control response headers are not honoring the values returned by the member servers in the Pool. When accessing the webservers directly (not through the F5) the cache-control header values are correct. INCORRECT HEADERS = cache-control: private CORRECT HEADERS = cache-control: no-cache, no-store We do not have any iRules modifying this header, we are not using Web Application Proxy (WAP), Web Acceleration, etc.Low DNS Cache hit ratio
I have enabled transparent DNS cache on a F5 that is doing a DNS LTM (No GTM) and anycast via BGP injection role which was originally configure with the DNS iapp. However the cache hit ratio is much lower than expected and increasing Message Cache Size and Resource Record Cache Size have made no difference. When looking at the cache (show ltm dns cache records rrset cache )it always shows only 1000 records regardless of cache sizes. Total records returned (tmm1): 1000 This is only a problem on higher utilization devices, those with lower utilization have much higher cache hit ratio but also always show 1000 cached entries. Any ideas?
