iRules For Notepad++
Hi, I started using BIG-IP last month, iRules Editor was fine but i love Noterpad++ so i made UserDefine I think it will help many people like me so i put it here. Link: http://www.RealGame.co.il/F5/iRulesDefine-RealGame.zip How to import: Language -> Define Your Language -> Import File Extension: *.irul I hope someone will take what i made and extend it because mine isn't perfect. Updetad: 15/04/2013
Repeat question
Hi all, sorry for the repeat question but I can't seem to loate the original replies, they were quite some time ago. I recall someone providing some sample code to my question about having the BigIP send the log entries for a paritiion to a external syslogd server. Case in question is we have a partition on a multi-teneted Viprion in a data centre. Although I can use the syslog command to manually log things to a external syslogd I would really like to have all entries normally logged to /var/log/ltm to the external syslogd. This would be especially usefull for any TCL level sort of errors which in this setup I no longer have any visibilty. I am hoping our provider will allow this change if it has no impact on their other customers.Otherwise I have to keep bugging them to send me extracts of the log file which is anoying from a number of standpoints. I think their viperion is running LTM 11.3. Regards, Craig
Match Across Services, Virtual Servers and Pools
Hi, Could someone please help explaining to me the difference between Match Across Services and Match Across Virtual Servers? An example will be much appreciated. I also have difficulty understanding Match Across Pools. According to the BigIP document, "Match Across Pools specifies that the LTM system can use any pool that contains this persistence entry." My understanding is that persistence is property of (assigned to) a virtual server and not a pool. Again, an example is greatly appreciated. Thank you,
404/403 Redirect
Hi Folks, I am looking to create an iRule that redirects to a generic www.domain.com/404.html whenever a 404 response is hit. This is obviously easy using HTTP::redirect. However, when I do this, The F5 returns a 200 response code. I need the rule to initially return a 404 for the requested URL (for SEO), then redirect over to my generic 404 page (for client-side usability). I have a working concept, which is as follows..; when HTTP_RESPONSE { Handle error status' nicely switch [HTTP::status] { "403" { log local0.notice "Caught 403, redirecting to generic page" HTTP::respond 403 content [subst $::error_404] "Content-Type" "text/html; charset=UTF-8" } "404" { log local0.notice "Caught 404, redirecting to generic page" HTTP::respond 404 content [subst $::error_404] "Content-Type" "text/html; charset=UTF-8" } "500" { log local0.notice "Caught 500, redirecting to generic page" HTTP::redirect "http://www.domain.com/techdifficult.html" } } } Then, my error_404 is defined as html, which contains a meta-refresh to the 404/403 page. This is a pretty ugly way of doing this. Is there a better way? Thanksssl::verify result question
Is there a way to use OpenSSL functions with SSL::verify_result? I've heard mention that SSL::verify_result uses functions from OpenSSL. Can I assume that it is mimicking the verify function? And if so is there a way to extend SSL::verify_result to use either the -purpose or -issuer-checks parameters? We are requiring client certs on our BigIP, but most of our clients have separate identity and email certificates signed by different intermediates of the same root CA. We are also using OCSP to do crl checking on the presented certs. When the client presents a valid identity cert, SSL::verify_result returns a 0, or "ok", the ocsp irule goes to AUTH_SUCCESS event, and all is well. When the client submits an email certificate, SSL::verify_result returns a 0 "ok", and the ocsp irule goes to AUTH_FAILURE as expected (since we don't have crl's for the email root, it fails shut). Now, when the client presents a revoked (but not expired) certificate, SSL::verify_result still returns 0 "ok", and the ocsp irule goes to AUTH_FAILURE (as expected). So the problem is that a revoked cert and an email cert flag the same results. They both fail ocsp, but there's no way to differentiate the two. So basically we need a way of telling them apart so we can alert the client appropriately. Thanks in advance. K StewartHelp :: Passing a client cert to internal web server
To anyone, We use BigIP's to proxy SSL traffic at our security perimeter. The external BigIP terminates the SSL stream, requires client certificates, and passes the unencrypted traffic through the layer 7 firewalls for inspection to the internal BigIP. The internal BigIP re-encrypts the traffic and sends on to SSL-enabled web servers in our environment. We want to be able to pass a "client" certificate to the web server that is requiring (or accepting) client certs from the internal BigIP. We know that the client certificate can be imbedded in the HTTP header, but many of the applications that we host internally are off-the-shelf products that we cannot or do not have the resources to modify to use header information. It would be of greatest benefit to be able inject the x.509 certificate back into the ssl data stream and to present to the internal web server the same certificate that the client presented to the external BigIP. Thanks in advance. Kevin Stewart
Calling another iRule from with in an iRule
I am inspecting the header for cookie and would like to direct the request accordingly. If cookie is not there the landing page will issue the cookie according to the user's choice of department. By the way all the URLs resolve to the same VIP. The challenge I am facing is to make sure the URIs are valid for the corresponding URL. Meaning I have to allow certain URI only. I have an other iRule using switch. Can I call another iRule for the matching cookie i.e. call HR_iRule for HR cookie? If so how? Cookie_iRule when HTTP_REQUEST { switch [HTTP::cookie Department] { "SALES" { HTTP::redirect "http://sales.abc.com"} "HR" { HTTP::redirect "http://hr.abc.com"} "IT" { HTTP::redirect "http://it.abc.com"} default{HTTP::redirect "http://www.abc.com} } HR_iRule when HTTP_REQUEST { switch [string tolower [getfield [HTTP::uri] "/" 2]] "benefits"{ HTTP::redirect "http://hr.abc.com/portal/Benefits"} "ethics"{ HTTP::redirect "http://hr.abc.com/portal/Ethics"} default{HTTP::redirect "http://hr.abc.com/portal} }
IRULE - IP::client_addr
Hello, I want to ask a question about "IP::client_addr". I write the following irule: When client has the X.X.X.3 ip address, it goes to the first "if" thats okey and I see from the ltm log ( I opened a debug..) , but the connection is not forwarded to the Pool x it is forwarded to the default Pool, I also see from the log file that the same connection is also forwarded to the default pool. How can it be possible? What is wrong in this irule? if { [IP::addr [IP::client_addr] equals x.x.x.0/24]}{ pool X } if { [IP::addr [IP::client_addr] equals y.y.y.0/24]}{ pool Y } else { default pool }Limiting number of concurrent connections to a member pool based on Source IP
Hi, I need to Limit the number of concurrent connections to a virtual server based on Source IP or source subnet, so for example a given IP or subnet can have only 5 simultaneous connections at any given time with a specific virtual server if a 6th connection comes in then I'd like to reset or simply drop the incoming SYN. Any ideas on how to do this? Thanks, George
