iRule Developer Tools
Hi All, I've made a set of developer tools for Tcl including iRules, https://github.com/bitwisecook/tcl-lsp This includes LSP server Editor integrations for VSCode, Sublime Text, Zed, Jetbrains, Helix, neovim, emacs and more (though I've only really hammered on vscode there) MCP server Claude skills cli tool Semantic token highlighting Hover docs Format string interpreters AI tools for creating, explaing, validating, documenting, diagramming iRules and Tcl full optimising compiler chain with 26 optimiser passes 27 iRule specific diagnostics and optimisations Security warnings through taint tracking (use of user input tracked through the code) Shimmer detection with inline type hints (know when a variable type is being reinterpreted) Code formatting Code minification Compiler explorer to look at how your code is interpreted A full iRule testing framework and more. This is only based on publicly available information and my memory, though I have deployed enough iRules. This is the tool I always wanted. I could do with help expanding and improving the profile -> event / command maps, and the iRule event graph, and with generally finding bugs, so please, open issues. I will be away on holiday for a couple of weeks so please bear in mind I may take a little time to get back to you. cheers, Jim 🇬🇧🇦🇺
Create Domino LTPA token on F5 problem
Hi, I'm trying to use the code at http://per.lausten.dk/blog/2009/06/how-to-create-a-ltpa-session-cookie-for-lotus-domino-using-f5.html to create a Domino LTPA token but I am getting the following error showing on the Domino server: Token does not lead with 0 [Single Sign-On token is invalid]. The token should begin with the version number 0123 e.g. from the code set ltpa_version "\x00\x01\x02\x03" However, after decoding the token and then looking at it in a hex editor the version number shows as: C0 80 01 02 03 ....... Can somebody explain to me why the \x00 is being changed to C0 80 please? I've experimented putting other numbers in thefirst position to see what happens e.g. \x01\x01\x02\x03 and the hex readout looks correct i.e. 01 01 02 03. It only fails when I use a \x00 in the first position. Thanks for any suggestions. Jeff
Maintenance page - hosted on LTM or redirect with fallback host - or both?
I'm in the process of implementing an automated maintenance page that is displayed when I have a pool with no healthy members. Looking around, I see two distinct methods of doing this - utilizing the fallback host feature and redirecting to another url, or setting up a page to be hosted on the LTM and using an iRule with " [active_members [LB::server pool]] < 1" in it. Does anyone have any opinions on which one is preferred, and why? Currently, I'm using the fallback host method and I'm redirecting to a page hosted on AWS. My setup includes about 70 virtual servers on a 3600 HA cluster - some are QA, some are non-http. I will likley have the need for multiple versions of the maintenance page, depending on the site content it fronts. The one thing I do see as an advantage of the LTM hosted option is that an iRule code example shows a refresh option being used to automatically pull up the healthy site when it becomes available. Thanks!! ChrisRemoving port from a redirect
Hi all, One of our web developers has asked me if we could strip off a port number in a redirect they are doing. I thought the following would do this, but it doesn't appear to work. when HTTP_REPSONSE { if { [HTTP::is_redirect] } { if { [HTTP::header Location] contains "www.acme.com:10040" } { log "Original Location value: [HTTP::header Location]" HTTP::header replace Location [string map -nocase {www.acme.com:10400 www.acme.com} [HTTP::header value Location]] log "Updated Location value: [HTTP::header Location]" return } } } And here is what is written to the log Original Location value: www.acme.com:10040/secure/discussion-forum Updated Location value: www.acme.com:10040/secure/discussion-forum Note: actually the log includes http but if I enter in a URL in this new forum s/w it does odd things to it. Any help appreciated. Craig
Using a default persistence profile and iRule persistence on the same VS
I have an iRule applied to a VS that sends traffic to different pools based on its uri. I have a default persistence profile defined already on the VS (smsession) but on one of the pools I would like to use a different method of persistence (cookie). If I define the persistence to that pool in my iRule as shown below, which method of persistence is used in the end? Can you use a default persistence profile AND specify a different method using an iRule? when HTTP_REQUEST { set header_uri [string tolower [HTTP::uri]] if { [matchclass $header_uri starts_with $::www_uri] } { pool WWW_Pool } elseif { [matchclass $header_uri starts_with $::oam_uri] } { HTTP::redirect "https://oam.companyname.com/oam/main/oamMain.jsp" } elseif { [matchclass $header_uri starts_with $::cp_uri] } { persist cookie insert "CP_Cookie" "0d 03:00:00" pool CP_Pool } else { pool My_Pool } }
Wildcard SSL doesn't handle root domain?
My understanding of this may be lacking, but is there no way for a wilcard ssl certificate to handle the "root" domain? Example: I have a wildcard cert for "*.foo.com". It handles SSL requests as expected for "www.foo.com", but browsers will throw an identify verification error if the request went directly to "foo.com". Both https://www.foo.com and https://foo.com resolve to the same IP address/F5 Pool. That pool is using the wildcard cert (and works correctly with https://www.foo.com). Is this not a function of a wildcard SSL certificate? Thanks
Pass Client Cert to a Specific URI
I am attempting to do SSL Offloading with a MDM solution by MobileIron. Everything seems to work fine with SSL offloading except for one URL that mobile devices use to reach a WebClip (web based appstore) that requires a client cert. With a standard type Virtual server with SSL offloading, the client just hangs and eventually times out while trying to reach the link. As soon as I switch the virtual server type to Performance Layer 4 it works. LIke I said, everything else works with the exception of this single feature, but this has to work. Is there a way to either just pass the client cert on to the back end for the specific URI or for any URI? /mifs/c/api/v1/client/$DEVICE_CLIENT_ID$/appstore I have a SSL Server profile enabled with the back end servers so I am not really doing SSL Offloading, I am just trying to get log data as the application does not provide much insight into what is going on and I have need to apply iRules to restict access to specific URIs from public locations which I cannot do with out an HTTP profile. Thanks
Embed images in an I-Rule with "HTTP::respond content" using only HTML
Hello everyone (this is my first post), Recently I was asked to write an I-Rule that served an HTML page when our server pool was unavailable. I thought this would be a piece of cake, until they demanded that the page include images. I did heavy forum searching and found several solutions to serve up images direclty from the F5, but they were all pretty involved/complicated for my tastes, so I came up with, what I believe is a new method. I encoded the images using the base64 algorithm. There are applications out there to do this, commands built into your OS depending on your machine, and even (my favorite) websites that will do this with the click of a button (great if your running a Microsoft OS). I've used http://www.opinionatedgeek.com/dotnet/tools/base64encode/ with great success. Keep in mind that the encoded image will make for one really long line of text. I have some up to 7,000 characters long. The following image tag will tell the browser to decode the image (or rather text at this point) on the fly: img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE" I've attached a sample HTML (txt) file with the F5 image embeded so you can see some funtional HTML. The process is simple. Encode your image in base64 Create your I-Rule with HTTP::respond content Embed the encoded text in your HTML Image Tag Here is an example outage I-Rule Hello everyone (this is my first post), Recently I was asked to write an I-Rule that served an HTML page when our server pool was unavailable. I thought this would be a piece of cake, until they demanded that the page include images. I did heavy forum searching and found several solutions to serve up images direclty from the F5, but they were all pretty involved/complicated for my tastes, so I came up with, what I believe is a new method. I encoded the images using the base64 algorithm. There are applications out there to do this, commands built into your OS depending on your machine, and even (my favorite) websites that will do this with the click of a button (great if your running a Microsoft OS). I've used http://www.opinionatedgeek.com/dotnet/tools/base64encode/ with great success. Keep in mind that the encoded image will make for one really long line of text. I have some up to 7,000 characters long. The following image tag will tell the browser to decode the image (or rather text at this point) on the fly: img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE" I've attached a sample HTML (txt) file with the F5 image embeded so you can see some funtional HTML. The process is simple. Encode your image in base64 Create your I-Rule with HTTP::respond content Embed the encoded text in your HTML Image Tag Here is an example outage I-Rule when HTTP_REQUEST { if {[active_members Pool_Name_Here] < 1} { HTTP::respond 503 content { html> body> center> h2>The Following Image has been embedded in this HTML file using base64 encodeing img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE"> hr>I'm sure F5 won't mind me using their logo since this is after all, a document on how to embed images in an F5 HTTP::respond content command /center> /body> /html>
