For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

devops

21609 Topics

How to tell nginx to use a forward proxy to reach a specific destination
Hello. I accidentally closed my previous post, so I recreate this discussion because of the following problem I'm encountering. Here is the situation : I have multiple servers which are in a secure network zone I have another server where nginx is installed and is used as a reverse proxy. The NGINX server has access to a remote destination (a gitlab server) through a forward proxy (squid) So the flow is the following : Servers in secure zone --> Server Nginx as reverse proxy --> Server squid as forward proxy --> an internal gitlab in another network zone. Is it possible to tell nginx to use the squid forward proxy to reach the gitlab server, please ? For the moment, I have this configuration : server { listen 443 ssl; server_name <ALIAS DNS OF NGINX SERVER>; ssl_certificate /etc/nginx/certs/mycert.crt; ssl_certificate_key /etc/nginx/certs/mykey.key; ssl_session_cache shared:SSL:1m; ssl_prefer_server_ciphers on; access_log /var/log/nginx/mylog.access.log; error_log /var/log/nginx/mylog.error.log debug; location / { proxy_pass https://the-gitlab-host:443; } } But it does not work. When I try to perform a git command from a server in secure zone, it fails and in the nginx logs I see a timeout, which is normal, because nginx does not use the squid forward proxy to reach the gitlab server. Thank you in advance for your help ! Best regards.
Solved
pepito
Oct 28, 2022 Place Technical Forum
44KViews
0likes
12Comments
How to rewrite a path to a backend service dropping the prefix and passing the remaining path?
Hello, I am not sure whether my posting is appropriate in this area, so please delete it if there is a violation of posting rules... This must be a common task, but I cannot figure out how to do the following fanout rewrite in our nginx ingress: http://abcccc.com/httpbin/anything -> /anything (the httpbin backend service) When I create the following ingress with a path of '/' and send the query, I receive a proper response. curl -I -k http://abczzz.com/anything apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: mikie-ingress namespace: mikie spec: ingressClassName: nginx rules: - host: abczzz.com http: paths: - path: / pathType: Prefix backend: service: name: httpbin-service port: number: 8999 What I really need is to be able to redirect to different services off of this single host, so I changed the ingress to the following, but the query always fails with a 404. Basically, I want the /httpbin to disappear and pass the path onto the backend service, httpbin. curl -I -k http://abczzz.com/httpbin/anything apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: mikie-ingress namespace: mikie annotations: nginx.ingress.kubernetes.io/rewrite-target: /$2 spec: ingressClassName: nginx rules: - host: abczzz.com http: paths: - path: /httpbin(/|$)(.*) pathType: Prefix backend: service: name: httpbin-service port: number: 8999 Thank you for your time and interest, Mike
michaelgardner
Jun 02, 2022 Place Technical Forum
21KViews
0likes
15Comments
Help with upstream prematurely closed!
Hello everyone! I'm trying to publish a blazor server app (just a template app for testing) on Nginx in debian 11. Actually i have like a week stucked with this problem, reading every post writted about this error, but nothing works for me. Someone can give me some light about what can be the problem? Nginx conf: user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } server blocks at sites-enabled/test server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/nginx/cert.pem; ssl_certificate_key /etc/nginx/cert.key; location / { proxy_pass http://dotnet; proxy_set_header Host $host; proxy_http_version 1.1; # you need to set this in order to use params below. proxy_temp_file_write_size 64k; proxy_connect_timeout 10080s; proxy_send_timeout 10080; proxy_read_timeout 10080; proxy_buffer_size 64k; proxy_buffers 16 32k; proxy_busy_buffers_size 64k; proxy_redirect off; proxy_request_buffering off; proxy_buffering off; } } upstream dotnet { zone dotnet 64k; server 127.0.0.1:7155; }
Solved
standby
Nov 13, 2022 Place Technical Forum
15KViews
0likes
3Comments
does nginx (1.20 or newer) re-resolve DNS for proxy_pass?
Consider this nginx config snippet: location ^~ /_example/ { proxy_pass https://example.com/_example/; proxy_set_header Host my-site; } Assuming "example.com" DNS TTL is set to 60 seconds - will nginx re-resolve DNS after 60 seconds? Or does it only resolve the name on startup? I'm finding different info around the internet: - it will re-resolve only in the commercial nginx plus - it will re-resolve only in newer nginx releases; in older ones, one need to make some workarounds - it will only resolve once on startup and never again
mangoo
Nov 01, 2022 Place Technical Forum
14KViews
0likes
5Comments
AMQP Cleartext Authentication
Description The remote Advanced Message Queuing Protocol (AMQP) service supports one or more authentication mechanisms that allow credentials to be sent in the clear. Solution Disable cleartext authentication mechanisms in the AMQP configuration in ubuntu or centos machines disable unencrypted access in the configuration file. >> unencrypted" here refers to client connections. https://www.rabbitmq.com/ssl.html Steps of disabling the AMQP: https://liquidwarelabs.zendesk.com/hc/en-us/articles/360019562832-Disable-cleartext-authentication-option-in-RabbitMQ The above link used for windows vulnerability. Please help in getting resolution for Centos or Ubuntu configuration file.
wazir
Jul 13, 2019 Place Technical Forum
13KViews
0likes
0Comments
Redirecting public facing URL to an internal non public facing URL
Hi I am trying to set up a rule that will allow external users hitting an external facing URL that resolves to a VIP on our DMZ LTMs and redirects them to an internal non public facing URL on our internal pair of LTMs based on the URI. Is this possible?
SteveD1979
Feb 18, 2022 Place Technical Forum
12KViews
0likes
1Comment
URL rewrite through iRule
Hi Guys, i have one "Performance (HTTP)" virtual server on F5-1600 series, and i want to change the URL "http://www.abc.com" to "http://partner.abc.com/xyz". i have tried all below scripts : 1- when HTTP_REQUEST { if {([string tolower [HTTP::host]] equals "http://www.abc.com")}{ HTTP::header replace Host "http://partner.abc.com/xyz" } } 2- when HTTP_REQUEST { if { not ([HTTP::uri] starts_with "/xyz") } { HTTP::uri /xyz[HTTP::uri] } } 3- when HTTP_REQUEST { if {[HTTP::uri] equals {http://www.abc.com}} {HTTP::uri {http://partner.abc.com/xyz} } } but i wasn't successful! can anyone help me how can i do this through iRule ?
Solved
sunnyman67_1367
Nov 03, 2013 Place Technical Forum
9.9KViews
0likes
27Comments
01 - Visualization of F5 BIG-IP metrics on Grafana using Prometheus and Telemetry Streaming service
This user guide is all about configuration and deployment of telemetry streaming service on F5 BIG-IP device and scraps those metrics by Prometheus which will be finally visualized by the Grafana. One can select the relevant metrics scraped by the Prometheus and visualize them on the Grafana which will be demonstrated later in the guide. Note: More detailed steps along with configuration images can be found on : https://nishalrai.com.np/2022/08/18/visualization-of-f5-big-ip-metrics-on-grafana-using-prometheus-and-telemetry-streaming-service/ This guide is heavily based on the work performed by Michael O'Leary and one can view on here. The purpose of this guide is to document a little more elaborated guide for both learning and deployment aspects and also address the possible issues that could be faced during the process of deployment. Telemetry streaming (TS) is an iControl LX extension delivered as a TMOS-independent RPM file with the ability to declaratively aggregate, normalize and forward statistics and events from the BIG-IP to a consumer application by posting a single TS JSON declaration to TS’s declarative REST API endpoint. Additional information about Telemetry streaming can be found here. Prometheus is an open-source monitoring solution that stores time series data like metrics whereas Grafana allows visualizing the data stored in Prometheus and also supports a wide range of other sources. A short briefing about the architecture diagram in case of this user-deployment case scenario, the F5 BIG-IP system is on standalone mode with a management IP of 172.20.100.173, and both Prometheus and Grafana services are running on the same host with an IP address of 192.168.180.191 where the service port for Prometheus is on default – 9090 and the service port for Grafana is 5000. The whole deployment guide is broadly divided into the following sections and one can jump to the required step if they have achieved the previous configuration successfully: Section I: Download and install Telemetry Streaming Section II: Telemetry Streaming Declaration on the F5 BIG-IP device Section III: Configuration of Prometheus Section IV: Configuration on Grafana using Prometheus as a data source Section I: Download and install Telemetry Streaming We need to first download and install the telemetry streaming package on the F5 BIG-IP device. Since the telemetry streaming package is an RPM file that can be downloaded and can install through GUI or curl command on the CLI of the F5 BIG-IP device. In this user manual guide, we will download and then upload the telemetry streaming package on the BIG-IP using the iControl/iApp LX framework. One can use the alternative way which can be found here. First, we need to download the RPM file, one can find the latest telemetry streaming RPM file on the F5 Telemetry site on GitHub and download the latest RPM file. The GitHub page to download telemetry streaming can be found here. After downloading the file, you need to access your F5 BIG-IP GUI with your admin privilege account then follow the following steps: Go To iApps module > Package Management LX > Import > Browse to the downloaded location > Select Section II: Telemetry Streaming Declaration on the F5 BIG-IP device Once the download and installation of the F5 telemetry streaming package have been completed, we need to send a Telemetry Streaming declaration to configure a Telemetry Streaming pull consumer target. Before we jump into this configuration, we need to create a new user with an administrator role on the F5 BIG-IP device and you can just continue with the default admin user on the further configuration. We can create a new user in the following steps: Go to System > Users > User List Click on Create button Input the new user’s name and password Select role as administrator then add Click on the Finished button As we’re using Prometheus on this user-guide manual so, the Telemetry Streaming consumer target will be Prometheus which is hosted on 192.168.180.191:5000 We can either use Postman or using curl command on the CLI of the F5 BIG-IP device to configure a Telemetry Streaming pull consumer target. Configuration using Postman application Just follow the following steps for the configuration of the telemetry streaming consumer target using the Postman application. Step I: Open the Postman and create a new tab Step II: Select the GET method and paste the following link https://<big-ip-management-ip-address>/mgmt/shared/telemetry/declare Step III: Browse on Auth field and fill up the credentials Use the credentials used to log into F5 BIG-IP (in this case, recently created new user) Step IV: Select on Body option Change the method into POST, then select raw sub-option and then JSON data format. Past the Telemetry Streaming declaration on the body section and then click on the send button. { "class": "Telemetry", "My_Poller": { "class": "Telemetry_System_Poller", "interval": 0 }, "My_System": { "class": "Telemetry_System", "enable": "true", "systemPoller": [ "My_Poller" ] }, "metrics": { "class": "Telemetry_Pull_Consumer", "type": "Prometheus", "systemPoller": "My_Poller" } } Step V: Verify the response as the success status Select GET HTTP method on https://<big-ip-management-ip-address>/mgmt/shared/telemetry/declare Step VI: Verify the available metrics Create a new tab on Postman: - On the URL section https://<big-ip-management-ip-address>/mgmt/shared/telemetry/pullconsumer/metrics - On the authorization section, use the same credentials used before
Nishal_Rai
Aug 27, 2022 Place Technical Forum
9.9KViews
4likes
4Comments
Disable TLS 1.0 and 1.1 protocol on VIPS, Only TLS 1.2 should be on.
Suppose we have to disable TLS 1.0 and 1.1 protocol on a VIP. Only TLS 1.2 should be enabled. Consider client-ssl profile is having the existing ciphers as : ciphers DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!MD5:!RC4-SHA:!3DES Will modifying cipher to "TLSv1_2" fulfill the requirement.
Solved
AJF5
Aug 26, 2017 Place Technical Forum
9.6KViews
0likes
5Comments
Tmsh command to see self-ip addresses
Hello, i need a command to see the self-ip ip address. Any idea. I tried show net self, show sys ip-address without success Thanks
mplaksin0
Sep 08, 2020 Place Technical Forum
9.6KViews
0likes
3Comments