When using APM with an LDAP AAA server, are results cached?
I'm making extensive use of this sort of test: [mcget {session.ldap.last.attr.memberOf}] contains "My_Groupname" I was previously using Active Directory authentication and queries rather than LDAP, but changing to LDAP has cut down the login wait from up to 15 seconds down to several seconds. I'm almost certain that the APM is caching the membership results, however, because I make changes on the domain controller and the changes are not reflected on the BigIP - it seems to be using stale results. Any suggestions on the expected behavior, and how to change it? I know I can mix and and match AD and LDAP authentication and queries if necessary, and AD was also caching but didn't seem to be as long when I set it to 0 days, and I could manually clear that cache for testing purposes.
dns transparent cache as authoritative?
Hello, I have inherited an f5 pair that is (in theory) an authoritative-only name server. it has a pool of three dns servers it passes queries to. The first lookup using the f5 as the dns server has the authoritative bit set. However, subsequent queries (cache hit) do not, until the ttl time has elapsed. In other words, it acts as a standard dns caching server that sets authoritative when it has to query an authoritative server for an answer. Is there a way to set up the F5 with this configuration to always answer authoritative? bigip version 15.1.0.5 udp listener with dns profile name: "authoritative_dns" authoritative_dns profile set: parent == dns dns express enabled dns cache enabled: set to "authoritative_cache" authoritative_cache set: resolver type: transparent (NONE)
Writing URI for caching in regex
Hello everyone. Happy new year. In the web acceleration profile we want to use caching wit a URI list. We want to match these URIs: /appsuite/api/apps/load/* /appsuite/v=* So i've put this in the Include List: \/appsuite\/api\/apps\/load\/.+ \/appsuite\/v=.+ It does not work. I'm not an expert with regex and I don't have an equipment for testing. Could you help me to write it right or give me a link to a regex writing book for Big-IP ? ThanksSquid forward caching proxy server conflicting with Load Balancer; images, JS, CSS not rendering in application
Have an interesting one here that I hope others can help unravel. A user tells me that the website application, which sits behind an F5 LB, is not rendering properly: E.g.: is missing images, stylesheets, javascript files, and the like. And it's not just this user but a colleague at his workplace has the same issue and seemingly others in the company also can reproduce this issue. I will say that this client (as in the company) is the only one who has reported such an issue. No other companies who use the application are reporting pages not rendering content properly. He had tried testing with a work laptop, work phone, personal phone, over the company network, cellular network, and home network and using multiple browsers. It was consistent across multiple browsers. I asked him to clear cache and cookies and that did not help. Here are the results of his testing: Work laptop on home network: Pass. Work laptop on company network : Fail. Work laptop at their customer's location (possibly connected to customer's network): Fail Work phone on company network: Fail. Work phone on cellular network (Verizon)*: Fail. Personal phone on cellular network (AT&T)*: Pass. Work colleague of user laptop connected to said colleague's phone configured as hotspot (Sprint) (not sure if devices are work or personal)**: **This was conducted while on company premises. It didn't seem to matter what browser was employed. I didn't get a report that it worked in one browser but not another, for instance. To make a long story short, I asked him to send me a fiddler log and the logs showed something that I cannot reproduce on my end. The Fiddler log shows the page loaded with HTTP 200 but the content on the page (i.e. JavaScript files, stylesheets, images) show HTTP 304. In the response headers, under Transport, for all requests, I see Connection: close and Via: 1.1 {unique ID} (squid/3.5.23) (The unique ID is some kind of specific value. It might be sensitive information so I decided to not include it in this post). For , the response header Cache shows: X-Cache: MISS from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} For , the response header Cache shows: X-Cache: HIT from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} I don't recall seeing anything like this before. It looks to be Squid, a caching and forward proxy server, that is sitting in front of the client and making requests to the LB. Since this company is the only one who has reported this issue and I cannot reproduce it on my end, it's probably safe to say that either this company is running Squid, their ISP is running Squid, or even both. I pressed the user to inquire with the company's IT if they are running any proxies and the answer was no. It's certainly possible the company's IT could be mistaken. Today, the user says that he came into his office and everything is working now. He tried Firefox, IE, wireless network, cellular network and does not understand why it's working. The likely possibilities I can think of as to what and why is: Squid cache was flushed, which means this problem may return in the future. Squid was not configured properly by company's IT/ISP and now it is, thus resolving the issue. Squid was taken offline and the client is connecting directly to the LB now. What I am very concerned about is what happens if the company reports the same issue or maybe another company who is running Squid or some other forward caching/proxy server reports the same issue? I really don't know if this is something where I have to tell the user that this is not our problem, this is your IT infrastructure and/or your local ISP's problem. In other words, whether the Squid server is configured properly or not, is this something where the LB needs to be configured such that it works around the problem? Does that make sense? If there is a configuration change that I need to enact on the LB, what are these changes and what are step-by-step instructions? I'm sorry for the long-winded explanation but I'm trying to be detailed and thorough with this. Thank you very much.
TLS Session resumption (caching) - NO
Hi, My SSL profile keeps giving me this orange warning on SSLLABS: TLS Session resumption (caching) No (IDs assigned but not accepted) I've did my research, and it was known to give this when more SSL profiles are used under on VS - this is not the case with me. I have Cache size set to default 262144 sessions with 7200 seconds timeout (lowering the numbers did not do the trick). My ciphers are: !LOW:!SSLv2:!SSLv3:!MD5:!RC4+SHA:!EXPORT:!DHE:ECDHE+AES:AES+SHA+RSA:@STRENGTH but I don't really believe it's the ciphers fault (though I have read similar problem was with TLS1.2 on windows server, and a rollback to TLS1.1 fixed the issue). Any ideas or experience with this? Or should I now worry (though my client is a bit picky, and anything less than green on SSLLABS is a problem...)Simple Questions form a Newbie...
1)We want to cache very specific paths on our site, mainly for static content. If we wanted to cache everything under say http://example.com/pdfs, would we just add ‘/pdfs/*’ to the URI Include list? 2)If we do this, are we sure that it would NOT be caching http://example.com/ (root path) or even something like http://example.com/foo? 3)Is there a way to view cache contents – as in, what files it is actually caching?
Caching on F5
All, I'm trying to enable caching on the F5. My F5's are running v12.1.2(HA) and load balancing apache servers. Caching is enabled on these servers . But F5 seems to be forcing it off. When i go to the Application directly from the server, i'm seeing all static content like images, css files are showing as 'from servercache'. when i go to application through F5, i can see content is downloaded taking some time. How can i enable caching to avoid this. I applied a webacceleration profile to the VIP but ramcache list showing 0 records. Any help is appreciated. Thanks
iRule header removal for cached item reponses
Does anyone know if iRules do not apply to cached responses? I like to strip out X-Powered-By headers from my responses, but I'm seeing that header on the client side of things; I haven't made any changes to my iRule (though it's a large one shared between multiple VSs) which leads me to believe that the HTTP_Request and HTTP_Response rules aren't being applied to cached responses.AAM: how to cache home page? (when path = /)
I'm trying to figure out how to cache pages if the request doesn't contain a file name (e.g. http://www.domain.com/)..) I assumed that the MIME-type of the Object Type (under Policies) would classify HTML-pages as such, but it looks like this doesn't cover requests without a matching file extension. What am I missing?