Using a default persistence profile and iRule persistence on the same VS
I have an iRule applied to a VS that sends traffic to different pools based on its uri. I have a default persistence profile defined already on the VS (smsession) but on one of the pools I would like to use a different method of persistence (cookie). If I define the persistence to that pool in my iRule as shown below, which method of persistence is used in the end? Can you use a default persistence profile AND specify a different method using an iRule? when HTTP_REQUEST { set header_uri [string tolower [HTTP::uri]] if { [matchclass $header_uri starts_with $::www_uri] } { pool WWW_Pool } elseif { [matchclass $header_uri starts_with $::oam_uri] } { HTTP::redirect "https://oam.companyname.com/oam/main/oamMain.jsp" } elseif { [matchclass $header_uri starts_with $::cp_uri] } { persist cookie insert "CP_Cookie" "0d 03:00:00" pool CP_Pool } else { pool My_Pool } }238Views1like2CommentsWildcard SSL doesn't handle root domain?
My understanding of this may be lacking, but is there no way for a wilcard ssl certificate to handle the "root" domain? Example: I have a wildcard cert for "*.foo.com". It handles SSL requests as expected for "www.foo.com", but browsers will throw an identify verification error if the request went directly to "foo.com". Both https://www.foo.com and https://foo.com resolve to the same IP address/F5 Pool. That pool is using the wildcard cert (and works correctly with https://www.foo.com). Is this not a function of a wildcard SSL certificate? Thanks1.2KViews0likes7CommentsPass Client Cert to a Specific URI
I am attempting to do SSL Offloading with a MDM solution by MobileIron. Everything seems to work fine with SSL offloading except for one URL that mobile devices use to reach a WebClip (web based appstore) that requires a client cert. With a standard type Virtual server with SSL offloading, the client just hangs and eventually times out while trying to reach the link. As soon as I switch the virtual server type to Performance Layer 4 it works. LIke I said, everything else works with the exception of this single feature, but this has to work. Is there a way to either just pass the client cert on to the back end for the specific URI or for any URI? /mifs/c/api/v1/client/$DEVICE_CLIENT_ID$/appstore I have a SSL Server profile enabled with the back end servers so I am not really doing SSL Offloading, I am just trying to get log data as the application does not provide much insight into what is going on and I have need to apply iRules to restict access to specific URIs from public locations which I cannot do with out an HTTP profile. Thanks401Views0likes2CommentsEmbed images in an I-Rule with "HTTP::respond content" using only HTML
Hello everyone (this is my first post), Recently I was asked to write an I-Rule that served an HTML page when our server pool was unavailable. I thought this would be a piece of cake, until they demanded that the page include images. I did heavy forum searching and found several solutions to serve up images direclty from the F5, but they were all pretty involved/complicated for my tastes, so I came up with, what I believe is a new method. I encoded the images using the base64 algorithm. There are applications out there to do this, commands built into your OS depending on your machine, and even (my favorite) websites that will do this with the click of a button (great if your running a Microsoft OS). I've used http://www.opinionatedgeek.com/dotnet/tools/base64encode/ with great success. Keep in mind that the encoded image will make for one really long line of text. I have some up to 7,000 characters long. The following image tag will tell the browser to decode the image (or rather text at this point) on the fly: img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE" I've attached a sample HTML (txt) file with the F5 image embeded so you can see some funtional HTML. The process is simple. Encode your image in base64 Create your I-Rule with HTTP::respond content Embed the encoded text in your HTML Image Tag Here is an example outage I-Rule Hello everyone (this is my first post), Recently I was asked to write an I-Rule that served an HTML page when our server pool was unavailable. I thought this would be a piece of cake, until they demanded that the page include images. I did heavy forum searching and found several solutions to serve up images direclty from the F5, but they were all pretty involved/complicated for my tastes, so I came up with, what I believe is a new method. I encoded the images using the base64 algorithm. There are applications out there to do this, commands built into your OS depending on your machine, and even (my favorite) websites that will do this with the click of a button (great if your running a Microsoft OS). I've used http://www.opinionatedgeek.com/dotnet/tools/base64encode/ with great success. Keep in mind that the encoded image will make for one really long line of text. I have some up to 7,000 characters long. The following image tag will tell the browser to decode the image (or rather text at this point) on the fly: img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE" I've attached a sample HTML (txt) file with the F5 image embeded so you can see some funtional HTML. The process is simple. Encode your image in base64 Create your I-Rule with HTTP::respond content Embed the encoded text in your HTML Image Tag Here is an example outage I-Rule when HTTP_REQUEST { if {[active_members Pool_Name_Here] < 1} { HTTP::respond 503 content { html> body> center> h2>The Following Image has been embedded in this HTML file using base64 encodeing img src="data:image/gif;base64,INSERT_ENCODED_TEXT_HERE"> hr>I'm sure F5 won't mind me using their logo since this is after all, a document on how to embed images in an F5 HTTP::respond content command /center> /body> /html>325Views0likes1CommentiRule to retry with modulus operator
Hi, We have 4 pools and we are redirecting the request to each pool by calculating modulus of crc32 value of an http header id. I have written the following iRule for that : In http header we will get objectId and we will do crc32 and get a value and after we do a modulus to redirect to appropriate pool (and further redirection to appropriate pool via HTTP::uri). So that all same objectId remain in all same subsystem pools. From starting we know we have 3 nodes in each pool. when HTTP_REQUEST { set uri [HTTP::uri] if { [string tolower $uri] contains "/api/gateway" or [string tolower $uri] contains "/api/channel" or [string tolower $uri] contains "/api/space" } { set orgid [crc32 [HTTP::header objectId]] set key [expr $orgid % 3] log "mod value is $key" if { $key == 0 } { log "Redirecting to Pool 0" switch -glob [string tolower $uri] { "/api/channel*" { pool channel-pool member 192.168.159.133 8088 } "/api/space*" { pool space-pool member 192.168.159.133 8089 } "/api/gateway*" { pool gateway-pool member 192.168.159.133 8087 } default { pool default_pool member 192.168.159.133 80 } } } elseif { $key == 1 } { log "Redirecting Pool 1" switch -glob [string tolower $uri] { "/api/channel*" { pool channel-pool member 192.168.159.134 8088 } "/api/space*" { pool space-pool member 192.168.159.134 8089 } "/api/gateway*" { pool gateway-pool member 192.168.159.134 8087 } default { pool default_pool member 192.168.159.134 80 } } } elseif { $key == 2 } { log "Redirecting to Pool 2" switch -glob [string tolower $uri] { "/api/channel*" { pool channel-pool member 192.168.159.135 8088 } "/api/space*" { pool space-pool member 192.168.159.135 8089 } "/api/gateway*" { pool gateway-pool member 192.168.159.135 8087 } default { pool default_pool member 192.168.159.135 80 } } } } } Now we have a functionality that if one member in any pool went down it will not send request to the same node across all pools. But how can we can decrease the no. from 3 to 2 or some other value if it finds any member in any pool as down. If anybody can help me on this. Thanks.319Views0likes3CommentsRequest client cert based on URI access
Hi! I've been dredging devcentral and built 4 or 5 iterations of an iRule with mixed success. I made a good break through but then the scope creeped and I'm back at step 1. I am attempting to develop an iRule that will limit access to certain URIs based upon the client providing a certificate. The trick is users can only be prompted to provide a certificate when they access the specific URI. I've started fresh using the example provided here; http://devcentral.f5.com/wiki/iRule...ation.ashx I've obfuscated some data but nothing critical to the running of the iRule. I've also changed the outcome - I just want the PEM encoded cert inserted in the header (processing occurs on the application server). In its current form - the connection seems to 'hang' which makes me think the HTTP::release isn't happening. Here is where I am now; Initialize the variables on new client tcp session. when CLIENT_ACCEPTED { set collecting 0 set renegtried 0 } Runs for each new http request when HTTP_REQUEST { if { $renegtried == 0 and [SSL::cert count] == 0 and ( [HTTP::uri] equals "/URI/ClientCert" ) } { HTTP::collect set collecting 1 SSL::cert mode request SSL::renegotiate } } when CLIENTSSL_HANDSHAKE { if { $collecting == 1 } { set renegtried 1 HTTP::release } } when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } then { set a variable for the whole cert - cut out the BEGIN and END crap though set ssl_cert_whole [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0] ] ] "" ]] log to show we are receiving the cert log local0. "Client Certificate: [X509::subject [SSL::cert 0]]" insert the whole cert as a header HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" $ssl_cert_whole } else { log local0. "Restricted zone. No client cert detected - redirecting." HTTP::redirect "https://error.com"; } } } Any help would be awesome.437Views0likes5CommentsIrule for redirect when all pool members down, need one for each pool? and what is the standard practice for sorry server?
This is what I have for an iRule to implement when all members of a pool are not available due to maintenance or unplanned outage when HTTP_REQUEST { if { [active_members EXAMPLETEST_POOL] == 0 } { HTTP::redirect "http://209.196.27.42/" } } Now this is for one pool, we have over 10 pools. Is there a way to re-write this so the same iRule can be applied to each virtual server? Or do I need to create a separate iRule for each pool? Lastly, the re-direct is going to one server serving the web page. This has to be mapped to a public IP at the firewall with the non-nat'd IP as the virtual server for that web server. Then a DNS record created for that public IP address. Is this the typical practice for a sorry server? Are there any steps I can take to mitigate any risks if any in my present setup? Thanks,2.2KViews0likes20Commentsalteration to an existing irule
Hi, This is definitely a newbie question, so apologies in advance! I have a context switch within an irule like so: "/stuff/place*" { pool my_pool return } I would now like to point /stuff* to the same pool, but in the following manner: "/stuff*" { if { some conditions } { HTTP::redirect "http://www.site.com/overhere/" } else { pool my_pool } My question is, can the two context switches co-exist within the same irule or will the switch for /stuff* overrule the entry for /stuff/place* ?246Views0likes5Commentshttps and http to http http::path redirection not working
so i am new to f5, spent the last week reading irules stuff and the devcentral irules forums. i think i got my script partially right, but its not redirecting. so i got one http VS on port 80. lets call it http://aaa.b.com/test (internal URL used within network) -using default http class -no cert/ssl -nothing listening on 443 -pointing to a single default web pool 6 nodes also just listening on port 80 (iis6) my client has a external and internal URLs for their traffic. the external is https://xxx.b.com/test if they are within the internal network going to xxx.b.com, DNS points you to aaa.b.com address. my client wanted: if they goto https://xxx.b.com/test internally, it would be redirected to http://aaa.b.com/test the irule i created was: when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "xxx.b.com"} { HTTP::redirect "http:/aaa.b.com/test" } } i did some troubleshooting and threw some logging, but it was no help log local0. "redirecting from [HTTP::host]" if a user went to https://xxx.b.com/test, nothing happened no logging user gets page cannot be displayed. i think i may be missing something, do i need to setup a separate vs on https 443? if a user went to http://xxx.b.com/test, the log does say: "redirecting from xxx.b.com" but the user is not redirected. so i think i could be missing some setting outside of irules. any thoughts on this would be appreciated, sorry i am just a new nub 🙂1.6KViews0likes9CommentsFlexible host + uri redirector with data-groups
Hi! We have an irule that I've been trying to port over from v9. In v9 it was simple... I had 2 classes, a keep_uri and a nokeep_uri class, each in the format: hostheader1.example.com /someuri1 http://destination1.example.com/otheruri1 301 hostheader2.foobar.com /someuri2 http://destination2.example.com/otheruri2 301 hostheader3.foobaz.com /someuri3 http://destination3.example.com/otheruri3 302 etc... From there I could easily loop looking for a [HTTP:host] match and then loop looking for a [HTTP::uri] starts_with [getfield $row " " 2] in the "keep_uri" case or in the nokeep_uri, ([string tolower [HTTP::uri]] equals [getfield $row " " 2]) or ([string tolower [HTTP::uri]] starts_with "[getfield $row " " 2]/"). In v10/v11, the data-groups have been moved to key-value pairs, which I understand is probably faster and easier to search, but feels less flexible. Here is what I've come up with: ltm rule redirect_by_host_and_uri { when HTTP_REQUEST { get rid of any port information in the host header + set the url variable set url [substr [string tolower [HTTP::host]] 0 ':' ][HTTP::uri] log local0. "Saved into url variable: $url" if { [class match $url starts_with redirect_301_keep] } { HTTP::respond 301 Location [class match -value -- $url starts_with redirect_301_keep][HTTP::uri] log local0. "Matched $url in redirect_301_keep, redirecting to [class match -value -- $url starts_with redirect_301_keep][HTTP::uri]" } elseif { [class match $url equals redirect_301_nokeep] }{ HTTP::respond 301 Location [class match -value -- $url equals redirect_301_nokeep] log local0. "Matched $url in redirect_301_nokeep, redirecting to [class match -value -- $url equals redirect_301_nokeep]" } elseif { [class match $url equals redirect_302_nokeep] }{ HTTP::redirect [class match -value -- $url equals redirect_302_nokeep] log local0. "Matched $url in redirect_302_nokeep, redirecting to [class match -value -- $url equals redirect_302_nokeep]" } set cn redirect_301_nokeep set id [class startsearch $cn] while { [class anymore $cn $id] } { set n [class nextelement $cn $id] set u [lindex $n 0] set r [lindex $n 1] if { ($url starts_with "$u/") }{ log local0. "Matched url: $url with element [class nextelement -name $cn $id]" HTTP::respond 301 Location $r break } } class donesearch $cn $id set cn redirect_302_nokeep set id [class startsearch $cn] while { [class anymore $cn $id] } { set n [class nextelement $cn $id] set u [lindex $n 0] set r [lindex $n 1] if { ($url starts_with "$u/") }{ log local0. "Matched url: $url with element [class nextelement -name $cn $id]" HTTP::redirect $r break } } class donesearch $cn $id } } ltm data-group internal redirect_301_keep { description "A list of host/uri pairs to redirect with 301 and keep the uri intact." records { foobar.example.com/foo/bar { data http://www.example.com/ } } type string } ltm data-group internal redirect_301_nokeep { description "A list of hosts/uris to match and 301 redirect without keeping the URI" records { foobar.example.com/baz { data http://www.example.com/ } } type string } ltm data-group internal redirect_302_nokeep { description "A list of host/uris to match and 302 redirect" records { foobar.example.com/302me { data http://www.example.com/something } } type string } This actually seems to work if I have more than 1 entry in the classes, but when I have one entry (as shown) I get these errors: Feb 19 07:56:18 tmm err tmm[8448]: 01220001:3: TCL error: /Common/redirect_by_host_and_uri - Class iterator has no more elements (line 37) invoked from within "class nextelement -name $cn $id" Feb 19 07:57:56 tmm2 err tmm2[8450]: 01220001:3: TCL error: /Common/redirect_by_host_and_uri - Class iterator has no more elements (line 37) invoked from within "class nextelement -name $cn $id" I think I understand *why* I get these errors, but I don't understand how to prevent it. Is there a way to act on the *current* element instead of nextelement? Is there a better way to do this? Thanks!216Views0likes3Comments