Maintenance page - hosted on LTM or redirect with fallback host - or both?
I'm in the process of implementing an automated maintenance page that is displayed when I have a pool with no healthy members. Looking around, I see two distinct methods of doing this - utilizing the fallback host feature and redirecting to another url, or setting up a page to be hosted on the LTM and using an iRule with " [active_members [LB::server pool]] < 1" in it. Does anyone have any opinions on which one is preferred, and why? Currently, I'm using the fallback host method and I'm redirecting to a page hosted on AWS. My setup includes about 70 virtual servers on a 3600 HA cluster - some are QA, some are non-http. I will likley have the need for multiple versions of the maintenance page, depending on the site content it fronts. The one thing I do see as an advantage of the LTM hosted option is that an iRule code example shows a refresh option being used to automatically pull up the healthy site when it becomes available. Thanks!! ChrisRemoving port from a redirect
Hi all, One of our web developers has asked me if we could strip off a port number in a redirect they are doing. I thought the following would do this, but it doesn't appear to work. when HTTP_REPSONSE { if { [HTTP::is_redirect] } { if { [HTTP::header Location] contains "www.acme.com:10040" } { log "Original Location value: [HTTP::header Location]" HTTP::header replace Location [string map -nocase {www.acme.com:10400 www.acme.com} [HTTP::header value Location]] log "Updated Location value: [HTTP::header Location]" return } } } And here is what is written to the log Original Location value: www.acme.com:10040/secure/discussion-forum Updated Location value: www.acme.com:10040/secure/discussion-forum Note: actually the log includes http but if I enter in a URL in this new forum s/w it does odd things to it. Any help appreciated. Craig
Using a default persistence profile and iRule persistence on the same VS
I have an iRule applied to a VS that sends traffic to different pools based on its uri. I have a default persistence profile defined already on the VS (smsession) but on one of the pools I would like to use a different method of persistence (cookie). If I define the persistence to that pool in my iRule as shown below, which method of persistence is used in the end? Can you use a default persistence profile AND specify a different method using an iRule? when HTTP_REQUEST { set header_uri [string tolower [HTTP::uri]] if { [matchclass $header_uri starts_with $::www_uri] } { pool WWW_Pool } elseif { [matchclass $header_uri starts_with $::oam_uri] } { HTTP::redirect "https://oam.companyname.com/oam/main/oamMain.jsp" } elseif { [matchclass $header_uri starts_with $::cp_uri] } { persist cookie insert "CP_Cookie" "0d 03:00:00" pool CP_Pool } else { pool My_Pool } }
Wildcard SSL doesn't handle root domain?
My understanding of this may be lacking, but is there no way for a wilcard ssl certificate to handle the "root" domain? Example: I have a wildcard cert for "*.foo.com". It handles SSL requests as expected for "www.foo.com", but browsers will throw an identify verification error if the request went directly to "foo.com". Both https://www.foo.com and https://foo.com resolve to the same IP address/F5 Pool. That pool is using the wildcard cert (and works correctly with https://www.foo.com). Is this not a function of a wildcard SSL certificate? Thanks
Pass Client Cert to a Specific URI
I am attempting to do SSL Offloading with a MDM solution by MobileIron. Everything seems to work fine with SSL offloading except for one URL that mobile devices use to reach a WebClip (web based appstore) that requires a client cert. With a standard type Virtual server with SSL offloading, the client just hangs and eventually times out while trying to reach the link. As soon as I switch the virtual server type to Performance Layer 4 it works. LIke I said, everything else works with the exception of this single feature, but this has to work. Is there a way to either just pass the client cert on to the back end for the specific URI or for any URI? /mifs/c/api/v1/client/$DEVICE_CLIENT_ID$/appstore I have a SSL Server profile enabled with the back end servers so I am not really doing SSL Offloading, I am just trying to get log data as the application does not provide much insight into what is going on and I have need to apply iRules to restict access to specific URIs from public locations which I cannot do with out an HTTP profile. Thanks
Embed images in an I-Rule with "HTTP::respond content" using only HTML
Hello everyone (this is my first post), Recently I was asked to write an I-Rule that served an HTML page when our server pool was unavailable. I thought this would be a piece of cake, until they demanded that the page include images. I did heavy forum searching and found several solutions to serve up images direclty from the F5, but they were all pretty involved/complicated for my tastes, so I came up with, what I believe is a new method. I encoded the images using the base64 algorithm. There are applications out there to do this, commands built into your OS depending on your machine, and even (my favorite) websites that will do this with the click of a button (great if your running a Microsoft OS). I've used http://www.opinionatedgeek.com/dotnet/tools/base64encode/ with great success. Keep in mind that the encoded image will make for one really long line of text. I have some up to 7,000 characters long. The following image tag will tell the browser to decode the image (or rather text at this point) on the fly: img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE" I've attached a sample HTML (txt) file with the F5 image embeded so you can see some funtional HTML. The process is simple. Encode your image in base64 Create your I-Rule with HTTP::respond content Embed the encoded text in your HTML Image Tag Here is an example outage I-Rule Hello everyone (this is my first post), Recently I was asked to write an I-Rule that served an HTML page when our server pool was unavailable. I thought this would be a piece of cake, until they demanded that the page include images. I did heavy forum searching and found several solutions to serve up images direclty from the F5, but they were all pretty involved/complicated for my tastes, so I came up with, what I believe is a new method. I encoded the images using the base64 algorithm. There are applications out there to do this, commands built into your OS depending on your machine, and even (my favorite) websites that will do this with the click of a button (great if your running a Microsoft OS). I've used http://www.opinionatedgeek.com/dotnet/tools/base64encode/ with great success. Keep in mind that the encoded image will make for one really long line of text. I have some up to 7,000 characters long. The following image tag will tell the browser to decode the image (or rather text at this point) on the fly: img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE" I've attached a sample HTML (txt) file with the F5 image embeded so you can see some funtional HTML. The process is simple. Encode your image in base64 Create your I-Rule with HTTP::respond content Embed the encoded text in your HTML Image Tag Here is an example outage I-Rule when HTTP_REQUEST { if {[active_members Pool_Name_Here] < 1} { HTTP::respond 503 content { html> body> center> h2>The Following Image has been embedded in this HTML file using base64 encodeing img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE"> hr>I'm sure F5 won't mind me using their logo since this is after all, a document on how to embed images in an F5 HTTP::respond content command /center> /body> /html>iRule to retry with modulus operator
Hi, We have 4 pools and we are redirecting the request to each pool by calculating modulus of crc32 value of an http header id. I have written the following iRule for that : In http header we will get objectId and we will do crc32 and get a value and after we do a modulus to redirect to appropriate pool (and further redirection to appropriate pool via HTTP::uri). So that all same objectId remain in all same subsystem pools. From starting we know we have 3 nodes in each pool. when HTTP_REQUEST { set uri [HTTP::uri] if { [string tolower $uri] contains "/api/gateway" or [string tolower $uri] contains "/api/channel" or [string tolower $uri] contains "/api/space" } { set orgid [crc32 [HTTP::header objectId]] set key [expr $orgid % 3] log "mod value is $key" if { $key == 0 } { log "Redirecting to Pool 0" switch -glob [string tolower $uri] { "/api/channel*" { pool channel-pool member 192.168.159.133 8088 } "/api/space*" { pool space-pool member 192.168.159.133 8089 } "/api/gateway*" { pool gateway-pool member 192.168.159.133 8087 } default { pool default_pool member 192.168.159.133 80 } } } elseif { $key == 1 } { log "Redirecting Pool 1" switch -glob [string tolower $uri] { "/api/channel*" { pool channel-pool member 192.168.159.134 8088 } "/api/space*" { pool space-pool member 192.168.159.134 8089 } "/api/gateway*" { pool gateway-pool member 192.168.159.134 8087 } default { pool default_pool member 192.168.159.134 80 } } } elseif { $key == 2 } { log "Redirecting to Pool 2" switch -glob [string tolower $uri] { "/api/channel*" { pool channel-pool member 192.168.159.135 8088 } "/api/space*" { pool space-pool member 192.168.159.135 8089 } "/api/gateway*" { pool gateway-pool member 192.168.159.135 8087 } default { pool default_pool member 192.168.159.135 80 } } } } } Now we have a functionality that if one member in any pool went down it will not send request to the same node across all pools. But how can we can decrease the no. from 3 to 2 or some other value if it finds any member in any pool as down. If anybody can help me on this. Thanks.
Request client cert based on URI access
Hi! I've been dredging devcentral and built 4 or 5 iterations of an iRule with mixed success. I made a good break through but then the scope creeped and I'm back at step 1. I am attempting to develop an iRule that will limit access to certain URIs based upon the client providing a certificate. The trick is users can only be prompted to provide a certificate when they access the specific URI. I've started fresh using the example provided here; http://devcentral.f5.com/wiki/iRule...ation.ashx I've obfuscated some data but nothing critical to the running of the iRule. I've also changed the outcome - I just want the PEM encoded cert inserted in the header (processing occurs on the application server). In its current form - the connection seems to 'hang' which makes me think the HTTP::release isn't happening. Here is where I am now; Initialize the variables on new client tcp session. when CLIENT_ACCEPTED { set collecting 0 set renegtried 0 } Runs for each new http request when HTTP_REQUEST { if { $renegtried == 0 and [SSL::cert count] == 0 and ( [HTTP::uri] equals "/URI/ClientCert" ) } { HTTP::collect set collecting 1 SSL::cert mode request SSL::renegotiate } } when CLIENTSSL_HANDSHAKE { if { $collecting == 1 } { set renegtried 1 HTTP::release } } when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } then { set a variable for the whole cert - cut out the BEGIN and END crap though set ssl_cert_whole [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0] ] ] "" ]] log to show we are receiving the cert log local0. "Client Certificate: [X509::subject [SSL::cert 0]]" insert the whole cert as a header HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" $ssl_cert_whole } else { log local0. "Restricted zone. No client cert detected - redirecting." HTTP::redirect "https://error.com"; } } } Any help would be awesome.
