How to generate the persistence cookie with an iRule
Problem this snippet solves: When you configure a cookie persistence profile to use the HTTP Cookie Insert or HTTP Cookie Rewrite method, the BIG-IP system inserts a cookie into the HTTP response. The cookie value contains the encoded IP address and port of the destination server. Exemple of a cookie value : 1677787402.36895.0000 (See SOL6917 for more information about this topic) Let's assume that you want your pool member to receive a copy of this cookie value in an HTTP header. Because for example you want your application to forge an url where the cookie value is in a GET parameter. (NOTE : I cannot modify the behavior of the application, I can only play with headers) Retrieving the cookie value is pretty easy with iRule : [HTTP::cookie value $cookie_name] But you'll notice that there is a little issue with this feature: when you are a new visitor, the persistence cookie is inserted in the HTTP response ... Meaning that for the very first hit made by the visitor, there will be NO cookie value to retrieve ... In my scenario it was an issue to miss this cookie value on the first hit, so I had to come up with a solution to forge the cookie value based on pool member IP and port when the persistence cookie is missing. I chose to adapt the code found here and there (thanks !) EDIT : Well I figured out that if you are not using a default route-domain the persistence cookie value will be different (see https://support.f5.com/csp/article/K6917 ) Here is the alternative code bloc to use IPv4 non-default route domains: set ADDR "[format %02x $a][format %02x $b][format %02x $c][format %02x $d]" set PORT [LB::server port] set COOKIE "rd2o00000000000000000000ffff${ADDR}o${PORT}" How to use this snippet: To summarize what the iRule does : if the persistence cookie doesn't exist (most likely because it's the very first hit), then calculate it from member IP and PORT (it obviously has to be after the "When LB_SELECTED" statement) ; else just read the existing cookie. You can set the $cookie_name parameter manually, or let the iRule identify it Code : when LB_SELECTED { #set cookie_name SERVERID # following function could determine persistence cookie name being used if not manually set by the previous line if {not [info exists cookie_name]} { if { [set cookie_name [PROFILE::persist mode cookie cookie_name]] eq "" } { set cookie_name "BIGipServer[getfield [LB::server pool] "/" 3]" } #Default cookie name requires the getfield "/" 3 purge otherwise it's /Common/pool_name } if { [set COOKIE [HTTP::cookie value $cookie_name]] == "" } { scan [LB::server addr] {%d.%d.%d.%d} a b c d set ADDR [expr { $a + $b * 256 + $c * 65536 + $d * 16777216 }] set PORT [ntohs [LB::server port]] set COOKIE "${ADDR}.${PORT}.0000" ## Following bloc must be used instead if you are using non-default route domains, see K6917 #set ADDR "[format %02x $a][format %02x $b][format %02x $c][format %02x $d]" #set PORT [LB::server port] #set COOKIE "rd2o00000000000000000000ffff${ADDR}o${PORT}" ######### unset a b c d ADDR PORT #log local0. "$cookie_name = $COOKIE created for [HTTP::uri]" } else { #log local0. "$cookie_name = $COOKIE already exists for [HTTP::uri]" } HTTP::header insert X-F5-persist $COOKIE } Tested this on version: 11.5
BIG-IP : http profile : insert x-forwarded-for : enabled
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi HTTP Profile Insert X-Forwarded-For : Enabled Suppose the client has already added the "X-Forwarded-For" header value to the request. How will BIG-IP behave ? Will it leave the existing header value intact ? Or will it overwrite the value with what it believes to be the request client ip ? Further, at what point in request-processing does the insert/replace header operation occur ? Does it occur before iRule processing so that the header value is available within the iRule event processing when HTTP_REQUEST {} ?
iRule to use HEADER name and value to redirect bot traffic to a specific pool
We are looking for the detail: "X-APP-WHITELIST" in the header equal to "8" OR if the user-agent has, "googlebot" discovered in the header. Not looking at the XFF part of the header. Is there a better name than, "googlebot" to use? Thank you all for your replies. This is awesome. when HTTP_REQUEST { if { [HTTP::header exists X-APP-WHITELIST] and [HTTP::header X-APP-WHITELIST] equals "8" or [string tolower [HTTP::header User-Agent]] contains "googlebot" } { pool A } else { pool default } }Cannot POST files >60KB via BIGIP LTM
Hi, My Customers are facing an issue wherein the users not able to POST files >60KB to an application abc.xyz.com hosted on BIGIP. Below is the error they see, {"errors":["errors.adt.ci.metainfo.provider.not.found "]} However, they are able to send directly to the backend server without any issues. For the above VS on BIGIP, the default HTTP profile has been attached wherein the Maximum Header Size is as around 32KB. Is there anyway to increase this file limit or solve this issue ??? Thanks in advance, MSKBIG-IP : header added timestamp
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi For the case where multiple identical headers (e.g. X-FORWARDED-FOR) accumulate as a request passes through a series of entities ( e.g. clients, forward-proxies, CDNs, reverse-proxies, & servers ) : X-FORWARDED-FOR 10.10.20.1 X-FORWARDED-FOR 199.16.144.5 X-FORWARDED-FOR 204.15.0.249 Does the request include timestamp data for each header added ? If BIG-IP adds a header , does it record the timestamp somewhere ?
ASM issue- Replacing header info
Hi, My ASm is is replcainf the header infirmation and that is stopping my application to work. How can i stop changing the contents. with direct server (pool member) HTTP/1.1 200 OK Date: Fri, 20 Nov 2015 10:42:01 GMT Server: Apache X-Frame-Options: SAMEORIGIN Last-Modified: Thu, 19 Nov 2015 12:05:21 GMT Accept-Ranges: bytes Content-Length: 24349 X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store, no-cache, must-revalidate Connection: close Content-Type: application/javascript with VIP (ASM enabled) HTTP/1.1 200 OK Connection: close Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Pragma: no-cache Content-Length: 187
TLS/1.0, PCI, and a custom message for HTTP response status codes
By June 30, 2018 we would like to turn off TLS/1.0 on all our HTTPS websites, in order to be compliant with PCI requirements. Instead of just turning TLS/1.0 off, we would like to use that time between now and June 30, 2018 to seamlessly phase the TLS/1.0 out. To do so, our F5 still supports all TLS protocols (TLS/1.0, TLS/1.1, and TLS/1.2), but only the clients supporting TLS/1.1 and above get the actual website content. Everyone else (clients supporting TLS/1.0 only) gets a custom error page informing them about the browser upgrade requirement. To achieve that, I'm using the HTTP status code "426 Upgrade Required". Please see: 4.2 Mandatory Advertisement in RFC2817 Server-initiated upgrade to TLS The expected result is: HTTP/1.1 426 Upgrade Required Upgrade: TLS/1.1, HTTP/1.1 Connection: Upgrade ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... Unfortunately, F5 gives me the following result: HTTP/1.1 426 Unknown Code Upgrade: TLS/1.1, HTTP/1.1 Connection: close ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... My iRule looks like this: Detect TLSv1.0 protocol and send HTTP 426 when HTTP_REQUEST priority 150 { if { [SSL::cipher version] equals "TLSv1" } { log local0. "TLS/1.0 connection detected from [IP::client_addr] for [HTTP::host]" HTTP::respond 426 -version auto content $static::obsolete_browser_page noserver "Upgrade" "TLS/1.1, HTTP/1.1" "Content-Type" "text/html" "Cache-Control" "no-cache" "Retry-After" "60" "Connection" "Close" event disable return } } If I use "Connection" "Upgrade" in the HTTP::respond code, as defined in the aforementioned RFC2817, F5 replaces it with Connection: Keep-Alive in the actual response which is being sent back to the client. My questions are: Question 1: is there a way in F5 to replace the message in HTTP response, so that it says: HTTP/1.1 426 Upgrade Required instead of HTTP/1.1 426 Unknown Code Question 2: is there a way to force F5 to send HTTP header that says: Connection: Upgrade instead of Connection: close or Connection: Keep-AliveDo I need to check HTTP::header exists before checking value?
I feel like this is a simple question, but I can't seem to find a definitive answer... To check the value of a particular HTTP header, I can do this: if { [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } My basic question is "What happens is the Origin header is not passed?"... The spec says that HTTP::header will return null if the header called does not exist. What does this mean for my if statement - is null treated the same as false in an if statement? If the above code example will be problematic if Origin is not passed, can I write the code as a single line, like this: if { [HTTP::header exists Origin] and [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } or does it need to be two separate nested if statements: if { [HTTP::header exists Origin] } { if {[HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } }
iRule Help Inserting Header in HTTP_REQUEST_DATA
Hello, I'm attempting to insert a header which contains error values from a 'Sideband' response. I can't post the whole code due to what it does. For example:- when HTTP_REQUEST { set host_header [HTTP::host] set host_status [string tolower [class match -value [HTTP::host] starts_with DataGroup1]] set uri [HTTP::uri] set uri_status [string tolower [class match -value [HTTP::uri] starts_with DataGroup2]] set sessionid "" if {[HTTP::cookie exists "JSESSIONID"]} { set sessionid [HTTP::cookie value "JSESSIONID"] } if {[HTTP::method] eq "POST" && $host_status eq "on" && $uri_status eq "on"}{ if {[HTTP::header exists "Content-Length"] }{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } HTTP::collect $content_length } } when HTTP_REQUEST_DATA { set payload [HTTP::payload] #DO SOME STUFF# set pool1 [class match -value locale starts_with Datagroup3] if { [active_members $pool1] < 1 } { log local0. "The pool member is down" HTTP::header insert x-error-code Ts-Unavailable ***Above not inserting Header*** } else { #CONSTRUCT SOAP PAYLOAD# #POST DATA TO SIDEBAND SERVICE# set conn [connect -timeout 1000 -status conn_status %Virtual1] set conn_info [connect info -idle -status $conn] set send_info [send -timeout 1000 $conn $request_to_send] set recv_request [recv -timeout 1000 $conn] close $conn if {$recv_request contains "<errorCode>"}{ set start_error "<errorCode>" set end_error "</errorCode>" set pos_error [ string first $start_error $recv_request] set error_path_and_value [substr $recv_request $pos_error "</errorCode>"] set error_value [getfield $error_path_and_value ">" 2] HTTP::header insert x-error-code $error_value ***Above not inserting Header*** #STRIP OUT DATA# } else { #The Service replied with a valid response. #REPLACE DATA WITH RECEIVED DATA# } } HTTP::release } Should this insert the Header into the HTTP Request destined for the Default Virtual/Pool? Am I missing something? Thanks,
Azure Active Directory and BIG-IP APM Integration
Introduction Security is one of the primary considerations for organizations in determining whether or not to migrate applications to the public cloud. The problem for organizations with applications in the cloud, in a data center, managed, or as a service, is to create a cost-effective hybrid architecture that produces secure application access and a great experience that allows users to access apps easily, have consistent user experiences, and enjoy easy access with single-sign-on (SSO) tied to a central identity and authentication strategy. Some applications are not favorable to modernization. There are applications that are not suited for, or incapable of, cloud migration. Many on-premises apps do not support modern authentication and authorization, including standards and protocols such as SAML, OAuth, or OpenID Connect (OIDC). An organization may not have the staff talent or time to perform application modernization for their on-premises apps. With thousands of apps in use daily, hosted in all or any combination of these locations, how can organizations ensure secure, appropriate user access without requiring users to login in multiple times? In addition, how can organizations terminate user access to each application without having to access each app individually? By deploying Microsoft Azure Active Directory, Microsoft’s comprehensive cloud-based identity platform, along with F5’s trusted application access solution, Access Policy Manager (APM), organizations are able to federate user identity, authentication, and authorization and bridge the identity gap between cloud-based (IaaS), SaaS, and on-premises applications. Figure 1Secure hybrid application access This guide discusses the following use cases: ·Users use single sign-on to access applications requires Kerberos-based authentication. ·Users use single sign-on to access applications requires header-based authentication. Microsoft Azure Active Directory and F5 BIG-IP APM Design For organizations with a high security demand with low risk tolerance, the need to keep all aspects of user authentication on premise is required. The Microsoft Azure Active Directory and F5 BIG-IP APM solution integrates directly into AAD configured to work cooperatively with an existing Kerberos based, header based or variety of authentication methods. The solution has these components: •BIG-IP Access Policy Manager (APM) •Microsoft Domain Controller/ Active Directory (AD) •Microsoft Azure Active Directory (AAD) •Application (Kerberos-/header-based authentication) Figure 2APM bridge SAML to Kerberos/header authentication components Figure 3APM bridge SAML to Kerberos authentication process flow Deploying Azure Active Directory and BIG-IP APM integration The joint Microsoft and F5 solution allow legacy applications incapable of supporting modern authentication and authorization to interoperate with Azure Active Directory. Even if an app doesn’t support SAML, and only is able to support header- or Kerberos-based authentication, it can still be enabled with single sign-on (SSO) and support multi-factor authentication (MFA) through the F5 APM and Azure Active Directory combination. Azure Active Directory as an IDaaS delivers a trusted root of identity to APM creating a bridge between modern and legacy applications, delivering SSO and securing the app with MFA. Adding F5 from the gallery To configure the integration of BIG-IP APM into Azure AD, you need to add F5 from the gallery to your list of managed SaaS apps. Sign-on to theAzure portalusing either a work or school account, or a personal Microsoft account. On the left navigation pane, select theAzure Active Directoryservice. Navigate toEnterprise Applicationsand then selectAll Applications. To add new application, selectNew application. In theAdd from the gallerysection, typeF5in the search box. SelectF5from results panel and then add the app. Wait a few seconds while the app is added to your tenant. Configuring Microsoft Azure Active Directory Configure and test Azure AD SSO with F5 using a test user calledA.Vandelay. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5. To configure and test Azure AD SSO with F5, complete the following building blocks: Configure Azure AD SSO - to enable your users to use this feature. Create an Azure AD test user - to test Azure AD single sign-on with A.Vandelay. Assign the Azure AD test user - to enable A.Vandelay to use Azure AD single sign-on. Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal. In theAzure portal, on theF5application integration page, find theManagesection and selectsingle sign-on. On theSelect a single sign-on methodpage, selectSAML. On theSet up single sign-on with SAMLpage, click the edit/pen icon forBasic SAML Configurationto edit the settings. On theBasic SAML Configurationsection, if you wish to configure the application inIDPinitiated mode, enter the values for the following fields: In theIdentifiertext box, type a URL using the following pattern:https://<YourCustomFQDN>.f5.com/ In theReply URLtext box, type a URL using the following pattern:https://<YourCustomFQDN>.f5.com/ ClickSet additional URLsand perform the following step if you wish to configure the application inSPinitiated mode: In theSign-on URLtext box, type a URL using the following pattern:https://<YourCustomFQDN>.f5.com/ Note These values are for only used for illustration. Replace these them with the actual Identifier, Reply URL and Sign-on URL. Refer to the patterns shown in theBasic SAML Configurationsection in the Azure portal. On theSet up single sign-on with SAMLpage, in theSAML Signing Certificatesection, findFederation Metadata XMLand selectDownloadto download the certificate and save it on your computer. On theSet up F5section, copy the appropriate URL(s) based on your requirement. Create an Azure AD test user In this section, you'll create a test user in the Azure portal called A.Vandelay. From the left pane in the Azure portal, selectAzure Active Directory, selectUsers, and then selectAll users. SelectNew userat the top of the screen. In theUserproperties, follow these steps: In theNamefield, enterA.Vandelay. In theUser namefield, enter the username@companydomain.extension. For example,A.Vandelay@contoso.com. Select theShow passwordcheck box, and then write down the value that's displayed in thePasswordbox. ClickCreate. Assign the Azure AD test user In this section, you'll enable A.Vandelay to use Azure single sign-on by granting access to F5. In the Azure portal, selectEnterprise Applications, and then selectAll applications. In the applications list, selectF5. In the app's overview page, find theManagesection and selectUsers and groups. SelectAdd user, then selectUsers and groupsin theAdd Assignmentdialog. In theUsers and groupsdialog, selectA.Vandelayfrom the Users list, then click theSelectbutton at the bottom of the screen. If you're expecting any role value in the SAML assertion, in theSelect Roledialog, select the appropriate role for the user from the list and then click theSelectbutton at the bottom of the screen. In theAdd Assignmentdialog, click theAssignbutton. Configure F5 BIG-IP APM Configure your on-premise applications based on the authentication type. Configure F5 single sign-on for Kerberos-based application Open your browser and access BIG-IP. You need to import the Metadata Certificate into the F5 (Kerberos) which will be used later in the setup process. Go toSystem > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click onImportof the right-hand corner. Additionally you also need anSSL Certificatefor the Hostname (Kerbapp.superdemo.live), in this example we used Wildcard Certificate. Go to –F5 BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider. Specify theEntity ID(same as what you configured on the Azure AD Application Configuration). Create a new Virtual Server, Specify theDestination Address. Choose theWild Card Certificate(orCertyou uploaded for the Application) that we uploaded earlier and theAssociated Private Key. Upload the ConfigurationMetadataand Specify a newName for SAML IDP Connectorand you will also need to specify the Federation Certificate that was uploaded earlier. Create NewBackend App Pool, specify theIP Address(s)of the Backend Application Servers. UnderSingle Sign-on Settings, chooseKerberosand SelectAdvanced Settings. The request needs to be created inuser@domain.suffix. Under theusername sourcespecifysession.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname. Refer Appendix for complete list of variables and values. Account Name Is the F5 Delegation Account Created ( Check F5 Documentation). Under Endpoint Checks Properties , click Save & Next. Under Timeout Settings, leave default settings and click Save & Next. Review Summaryand click onDeploy. Configure F5 single sign-on for Header-based application Open your browser and access BIG-IP. You need to import the Metadata Certificate into the F5 (Header Based) which will be used later in the setup process. Go toSystem > Certificate Management > Traffic Certificate Management >> SSL Certificate List. Click onImportof the right-hand corner. Additionally you also need anSSL Certificatefor the Hostname (headerapp.superdemo.live), in this example we used Wildcard Certificate. Go to –F5 (Header Based) BIG-IP Click Access > Guided Configuration > Federation > SAML Service Provider. Specify theEntity ID(same as what you configured on the Azure AD Application Configuration). Create a new Virtual Server, Specify theDestination Address,Redirect Portis Optional. Choose theWild Card Certificate(orCertyou uploaded for the Application) that we uploaded earlier and theAssociated Private Key. Upload the ConfigurationMetadataand Specify a newName for SAML IDP Connectorand you will also need to specify the Federation Certificate that was uploaded earlier. Create NewBackend App Pool, specify theIP Address(s)of the Backend Application Servers. Under Single Sign-on, ChooseHTTP header-based. You can add other Headers based on your application. See the Appendix for the list of SAMLSession Variables. Under Endpoint Checks Properties , click Save & Next. Under Timeout Settings, leave default settings and click Save & Next. Review Summaryand click onDeploy. Resources BIG-IP Knowledge Center BIG-IP APM Knowledge Center Configuring Single Sign-On with Access Policy Manager Summary By centralizing access to all your applications, you can manage them more securely. Through the F5 BIG-IP APM and Azure AD integration, you can centralize and use single sign-on (SSO) and multi-factor authentication for on-premise applications. Validated Products and Versions Product BIG-IP APM Version 15.0
