BIG-IP : http profile : insert multiple headers
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi Via the web-admin, I can create/edit an http profile and set this field : Request Header Insert = "X-Forwarded-Proto:http" But what if I want to insert multiple headers ? What is the syntax ? Further, does Request Header Insert erase any pre-existing request headers ? Also, I set Insert X-Forwarded-For to Enabled but logs do not show header X-Forwarded-For to be present.BIG-IP : HTTP Profile Insert X-Forwarded-For Enabled but not found in request headers collection
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi For a Virtual-Server assigned an HTTP Profile configured with : Insert X-Forwarded-For Enabled under what circumstances would the header not be inserted ? My iRule logs : when HTTP_REQUEST { log local0. "X-Forwarded-For header = [HTTP::header X-Forwarded-For]" ` indicate header is not present -- here is log output : `X-Forwarded-For header = Could disabling HTTP_REQUEST event at end of iRule affect HTTP Profile ability to add the header ?
X-Forwarded-For header
Hi All, My application team requirement is to able to see the actual client ip address whoever accessing the application instead of BIG IP address as SNAT (Auto map) is enabled. I have read some SOL on it and understand that we can achieve this by iRule & HTTP profile. However, my requirement is to have an iRule as we can take decision whether to add X-Forwarded-For header to client requests. Can anyone please share the iRule script pertaining to this requirement. Thanks in advance, MSKDifferentiating the connections based on headers || HTTP Profile
Hi, I have a scenario wherein the app team wants to publish an application both to external and internal (intranet). However, the requirement from them is to check on BIG IP to leverage HTTP profile (or iRule) to segregate between external and internal users. They want to have something like http profile = abc.com_external implies external user http profile = abc.com_internal implies internal user Now, below is the traffic flow for both scenarios, External End user >>> External BIGIP >>> Internal BIGIP >>> Backend Servers Internal End user >>>> Internal BIGIP >>> Backend Servers So, the only difference basically is that for external connections the internal BIGIP would see the source as the external BIGIP. Now, my approach is if we can insert something in the header on external BIGIP and monitor for it on the internal BIGIP then we could differentiate between external and internal users. Internal connections would be parsed as normal. Therefore, at the app level on backend servers they could differentiate between external connections by monitoring the newly added header. Not sure if this could be achievable but would be great if you could provide some help and thoughts. Br, MSKBIG-IP : header added timestamp
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi For the case where multiple identical headers (e.g. X-FORWARDED-FOR) accumulate as a request passes through a series of entities ( e.g. clients, forward-proxies, CDNs, reverse-proxies, & servers ) : X-FORWARDED-FOR 10.10.20.1 X-FORWARDED-FOR 199.16.144.5 X-FORWARDED-FOR 204.15.0.249 Does the request include timestamp data for each header added ? If BIG-IP adds a header , does it record the timestamp somewhere ?BIG-IP add custom header
F5 BIG-IP LTM VE v11.4.0 on ESXi I want to add a custom header to my request before rewriting to a backend server : when HTTP_REQUEST { HTTP::header insert uri-original [HTTP::uri] ... HTTP::uri $rewrite_uri pool backend-pool-01 } However my tests do not show this header present. Am I adding the header correctly ? What are the rules around retaining added headers ? How can I log all headers present in my request ? UPDATE ( 2014-11-29 ) : For case where iRule is assigned to a virtual-server with an http profile, I verified above TCL does add header as expected. However, for https case, adding the header writes errors to the f5 logs : Nov 14 22:03:03 f5-01 err bigd[6134]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure. Nov 14 22:03:04 f5-01 err tmm1[8371]: 01220001:3: TCL error: /Common/xheader-irule-01 - Operation not supported (line 1) invoked from within "HTTP::header insert original-uri [HTTP::uri]"BIG-IP : irule : add request header ( replace if exists )
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi I need to add/replace a specific request header. Here's my iRule : when HTTP_REQUEST { if { [HTTP::header exists "original-uri"] } { HTTP::header replace original-uri [HTTP::uri] } else { HTTP::header insert original-uri [HTTP::uri] } } Is there a way to perform the insert/replace in a single line ?
iRule to redirect user with incorrect certificate to specific url
Hello, I'm writing iRule, which sould redirect user to specific uri, if user don't have cert or have incorrect cert. Client ssl profile client authentication is set to "ignore". I want to redirect user with incorrect cert to "https://[HTTP::host]/index.php?id=14", which is the only uri, that works without cert auth. HTTP respond or redirect in event "when HTTP_REQUEST_SEND" does not work, but logging does ("No or invalid client Certificate!"). Browser response when I choose incorect cert: " This site can’t provide a secure connection sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR " Code: when CLIENTSSL_CLIENTCERT { HTTP::release if { [SSL::cert count] < 1 } { log local0. "No client Certificate!" } } when HTTP_REQUEST { if { [HTTP::uri] ne "/index.php?id=14" }{ if { [SSL::cert count] <= 0 } { HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } if { [HTTP::uri] eq "/index.php?id=14" }{ log local0. "uri eq id=14" pool XYZ-POOL } } when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } { HTTP::header insert "X-SSL-Session-ID" [SSL::sessionid] HTTP::header insert "X-SSL-Client-Cert-Status" [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert "X-SSL-Client-Cert-Subject" [X509::subject [SSL::cert 0]] HTTP::header insert "X-SSL-Client-Cert-Issuer" [X509::issuer [SSL::cert 0]] log local0. "http header insert completed" } else { log local0. "No or invalid client Certificate!" HTTP::redirect "https://www.xyz.com/index.php?id=14" HTTP::respond 302 Location "https://[HTTP::host]/index.php?id=14" } } } Best regards, SpelaiRule $variable problem
Hi, I have a problem with writing an iRule ... In the HTTP header I should have a variable called "$STH", and then the problem arises... TCL treats the dollar symbol as a symbol for the variable. What can I do in this case? when HTTP_REQUEST { HTTP :: header insert "$STH" '523' } Best regards, Spela
iRule not being called during Access Policy
I require an iRule to pass headers during an access Policy. Within the policy I added an iRule event with the ID APM-REDIR-2. That should call the following iRule: when ACCESS_POLICY_AGENT_EVENT { if { [ACESS:policy agent_id] eq "AMP-REDIR-2" } { set CACUPN [ACCESS::session data get "session.logon.last.upn"] set CACCN [ACCESS::session data get "session.ssl.cert.subject"] HTTP::header insert "CACUPN" $CACUPN HTTP::header insert "CACCN" $CACCN log local0. "LOG INFO: $CACUPN" log local0. "LOG INFO: $CACCN" } } I think my problem is the calling of the iRule. When I test the iRule by adding it to a virtual server and replacing the first two lines with - when ACCESS_ACL_ALLOWED - I can see the log entries, and I see the headers being passed. I cannot see the log entries when I call it in the policy. However, I need to call it in the policy and pass the headers to a pool also assigned during policy. If anyone can see where I am messing up I would appreciate it.