An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains reserved tls extension values. (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtmltls-extensiontype-values-1). The Client Hello request in the SSL Handshake was captured and contained an Extensions list, which included a reserved TLS Extension value (17156), which the F5 isn't presenting in Server Hello. I need an irule that can allow that Extension to be added on the client ssl profile so the ssl handshake doesn't fail.
How to generate the persistence cookie with an iRule
Problem this snippet solves: When you configure a cookie persistence profile to use the HTTP Cookie Insert or HTTP Cookie Rewrite method, the BIG-IP system inserts a cookie into the HTTP response. The cookie value contains the encoded IP address and port of the destination server. Exemple of a cookie value : 1677787402.36895.0000 (See SOL6917 for more information about this topic) Let's assume that you want your pool member to receive a copy of this cookie value in an HTTP header. Because for example you want your application to forge an url where the cookie value is in a GET parameter. (NOTE : I cannot modify the behavior of the application, I can only play with headers) Retrieving the cookie value is pretty easy with iRule : [HTTP::cookie value $cookie_name] But you'll notice that there is a little issue with this feature: when you are a new visitor, the persistence cookie is inserted in the HTTP response ... Meaning that for the very first hit made by the visitor, there will be NO cookie value to retrieve ... In my scenario it was an issue to miss this cookie value on the first hit, so I had to come up with a solution to forge the cookie value based on pool member IP and port when the persistence cookie is missing. I chose to adapt the code found here and there (thanks !) EDIT : Well I figured out that if you are not using a default route-domain the persistence cookie value will be different (see https://support.f5.com/csp/article/K6917 ) Here is the alternative code bloc to use IPv4 non-default route domains: set ADDR "[format %02x $a][format %02x $b][format %02x $c][format %02x $d]" set PORT [LB::server port] set COOKIE "rd2o00000000000000000000ffff${ADDR}o${PORT}" How to use this snippet: To summarize what the iRule does : if the persistence cookie doesn't exist (most likely because it's the very first hit), then calculate it from member IP and PORT (it obviously has to be after the "When LB_SELECTED" statement) ; else just read the existing cookie. You can set the $cookie_name parameter manually, or let the iRule identify it Code : when LB_SELECTED { #set cookie_name SERVERID # following function could determine persistence cookie name being used if not manually set by the previous line if {not [info exists cookie_name]} { if { [set cookie_name [PROFILE::persist mode cookie cookie_name]] eq "" } { set cookie_name "BIGipServer[getfield [LB::server pool] "/" 3]" } #Default cookie name requires the getfield "/" 3 purge otherwise it's /Common/pool_name } if { [set COOKIE [HTTP::cookie value $cookie_name]] == "" } { scan [LB::server addr] {%d.%d.%d.%d} a b c d set ADDR [expr { $a + $b * 256 + $c * 65536 + $d * 16777216 }] set PORT [ntohs [LB::server port]] set COOKIE "${ADDR}.${PORT}.0000" ## Following bloc must be used instead if you are using non-default route domains, see K6917 #set ADDR "[format %02x $a][format %02x $b][format %02x $c][format %02x $d]" #set PORT [LB::server port] #set COOKIE "rd2o00000000000000000000ffff${ADDR}o${PORT}" ######### unset a b c d ADDR PORT #log local0. "$cookie_name = $COOKIE created for [HTTP::uri]" } else { #log local0. "$cookie_name = $COOKIE already exists for [HTTP::uri]" } HTTP::header insert X-F5-persist $COOKIE } Tested this on version: 11.5
BIG-IP : http profile : insert x-forwarded-for : enabled
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi HTTP Profile Insert X-Forwarded-For : Enabled Suppose the client has already added the "X-Forwarded-For" header value to the request. How will BIG-IP behave ? Will it leave the existing header value intact ? Or will it overwrite the value with what it believes to be the request client ip ? Further, at what point in request-processing does the insert/replace header operation occur ? Does it occur before iRule processing so that the header value is available within the iRule event processing when HTTP_REQUEST {} ?
iRule to use HEADER name and value to redirect bot traffic to a specific pool
We are looking for the detail: "X-APP-WHITELIST" in the header equal to "8" OR if the user-agent has, "googlebot" discovered in the header. Not looking at the XFF part of the header. Is there a better name than, "googlebot" to use? Thank you all for your replies. This is awesome. when HTTP_REQUEST { if { [HTTP::header exists X-APP-WHITELIST] and [HTTP::header X-APP-WHITELIST] equals "8" or [string tolower [HTTP::header User-Agent]] contains "googlebot" } { pool A } else { pool default } }Cannot POST files >60KB via BIGIP LTM
Hi, My Customers are facing an issue wherein the users not able to POST files >60KB to an application abc.xyz.com hosted on BIGIP. Below is the error they see, {"errors":["errors.adt.ci.metainfo.provider.not.found "]} However, they are able to send directly to the backend server without any issues. For the above VS on BIGIP, the default HTTP profile has been attached wherein the Maximum Header Size is as around 32KB. Is there anyway to increase this file limit or solve this issue ??? Thanks in advance, MSKBIG-IP : header added timestamp
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi For the case where multiple identical headers (e.g. X-FORWARDED-FOR) accumulate as a request passes through a series of entities ( e.g. clients, forward-proxies, CDNs, reverse-proxies, & servers ) : X-FORWARDED-FOR 10.10.20.1 X-FORWARDED-FOR 199.16.144.5 X-FORWARDED-FOR 204.15.0.249 Does the request include timestamp data for each header added ? If BIG-IP adds a header , does it record the timestamp somewhere ?
ASM issue- Replacing header info
Hi, My ASm is is replcainf the header infirmation and that is stopping my application to work. How can i stop changing the contents. with direct server (pool member) HTTP/1.1 200 OK Date: Fri, 20 Nov 2015 10:42:01 GMT Server: Apache X-Frame-Options: SAMEORIGIN Last-Modified: Thu, 19 Nov 2015 12:05:21 GMT Accept-Ranges: bytes Content-Length: 24349 X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store, no-cache, must-revalidate Connection: close Content-Type: application/javascript with VIP (ASM enabled) HTTP/1.1 200 OK Connection: close Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Pragma: no-cache Content-Length: 187
TLS/1.0, PCI, and a custom message for HTTP response status codes
By June 30, 2018 we would like to turn off TLS/1.0 on all our HTTPS websites, in order to be compliant with PCI requirements. Instead of just turning TLS/1.0 off, we would like to use that time between now and June 30, 2018 to seamlessly phase the TLS/1.0 out. To do so, our F5 still supports all TLS protocols (TLS/1.0, TLS/1.1, and TLS/1.2), but only the clients supporting TLS/1.1 and above get the actual website content. Everyone else (clients supporting TLS/1.0 only) gets a custom error page informing them about the browser upgrade requirement. To achieve that, I'm using the HTTP status code "426 Upgrade Required". Please see: 4.2 Mandatory Advertisement in RFC2817 Server-initiated upgrade to TLS The expected result is: HTTP/1.1 426 Upgrade Required Upgrade: TLS/1.1, HTTP/1.1 Connection: Upgrade ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... Unfortunately, F5 gives me the following result: HTTP/1.1 426 Unknown Code Upgrade: TLS/1.1, HTTP/1.1 Connection: close ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... My iRule looks like this: Detect TLSv1.0 protocol and send HTTP 426 when HTTP_REQUEST priority 150 { if { [SSL::cipher version] equals "TLSv1" } { log local0. "TLS/1.0 connection detected from [IP::client_addr] for [HTTP::host]" HTTP::respond 426 -version auto content $static::obsolete_browser_page noserver "Upgrade" "TLS/1.1, HTTP/1.1" "Content-Type" "text/html" "Cache-Control" "no-cache" "Retry-After" "60" "Connection" "Close" event disable return } } If I use "Connection" "Upgrade" in the HTTP::respond code, as defined in the aforementioned RFC2817, F5 replaces it with Connection: Keep-Alive in the actual response which is being sent back to the client. My questions are: Question 1: is there a way in F5 to replace the message in HTTP response, so that it says: HTTP/1.1 426 Upgrade Required instead of HTTP/1.1 426 Unknown Code Question 2: is there a way to force F5 to send HTTP header that says: Connection: Upgrade instead of Connection: close or Connection: Keep-AliveDo I need to check HTTP::header exists before checking value?
I feel like this is a simple question, but I can't seem to find a definitive answer... To check the value of a particular HTTP header, I can do this: if { [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } My basic question is "What happens is the Origin header is not passed?"... The spec says that HTTP::header will return null if the header called does not exist. What does this mean for my if statement - is null treated the same as false in an if statement? If the above code example will be problematic if Origin is not passed, can I write the code as a single line, like this: if { [HTTP::header exists Origin] and [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } or does it need to be two separate nested if statements: if { [HTTP::header exists Origin] } { if {[HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } }iRule Help Inserting Header in HTTP_REQUEST_DATA
Hello, I'm attempting to insert a header which contains error values from a 'Sideband' response. I can't post the whole code due to what it does. For example:- when HTTP_REQUEST { set host_header [HTTP::host] set host_status [string tolower [class match -value [HTTP::host] starts_with DataGroup1]] set uri [HTTP::uri] set uri_status [string tolower [class match -value [HTTP::uri] starts_with DataGroup2]] set sessionid "" if {[HTTP::cookie exists "JSESSIONID"]} { set sessionid [HTTP::cookie value "JSESSIONID"] } if {[HTTP::method] eq "POST" && $host_status eq "on" && $uri_status eq "on"}{ if {[HTTP::header exists "Content-Length"] }{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } HTTP::collect $content_length } } when HTTP_REQUEST_DATA { set payload [HTTP::payload] #DO SOME STUFF# set pool1 [class match -value locale starts_with Datagroup3] if { [active_members $pool1] < 1 } { log local0. "The pool member is down" HTTP::header insert x-error-code Ts-Unavailable ***Above not inserting Header*** } else { #CONSTRUCT SOAP PAYLOAD# #POST DATA TO SIDEBAND SERVICE# set conn [connect -timeout 1000 -status conn_status %Virtual1] set conn_info [connect info -idle -status $conn] set send_info [send -timeout 1000 $conn $request_to_send] set recv_request [recv -timeout 1000 $conn] close $conn if {$recv_request contains "<errorCode>"}{ set start_error "<errorCode>" set end_error "</errorCode>" set pos_error [ string first $start_error $recv_request] set error_path_and_value [substr $recv_request $pos_error "</errorCode>"] set error_value [getfield $error_path_and_value ">" 2] HTTP::header insert x-error-code $error_value ***Above not inserting Header*** #STRIP OUT DATA# } else { #The Service replied with a valid response. #REPLACE DATA WITH RECEIVED DATA# } } HTTP::release } Should this insert the Header into the HTTP Request destined for the Default Virtual/Pool? Am I missing something? Thanks,