BIG-IP : http profile : insert x-forwarded-for : enabled
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi HTTP Profile Insert X-Forwarded-For : Enabled Suppose the client has already added the "X-Forwarded-For" header value to the request. How will BIG-IP behave ? Will it leave the existing header value intact ? Or will it overwrite the value with what it believes to be the request client ip ? Further, at what point in request-processing does the insert/replace header operation occur ? Does it occur before iRule processing so that the header value is available within the iRule event processing when HTTP_REQUEST {} ?
iRule to use HEADER name and value to redirect bot traffic to a specific pool
We are looking for the detail: "X-APP-WHITELIST" in the header equal to "8" OR if the user-agent has, "googlebot" discovered in the header. Not looking at the XFF part of the header. Is there a better name than, "googlebot" to use? Thank you all for your replies. This is awesome. when HTTP_REQUEST { if { [HTTP::header exists X-APP-WHITELIST] and [HTTP::header X-APP-WHITELIST] equals "8" or [string tolower [HTTP::header User-Agent]] contains "googlebot" } { pool A } else { pool default } }Cannot POST files >60KB via BIGIP LTM
Hi, My Customers are facing an issue wherein the users not able to POST files >60KB to an application abc.xyz.com hosted on BIGIP. Below is the error they see, {"errors":["errors.adt.ci.metainfo.provider.not.found "]} However, they are able to send directly to the backend server without any issues. For the above VS on BIGIP, the default HTTP profile has been attached wherein the Maximum Header Size is as around 32KB. Is there anyway to increase this file limit or solve this issue ??? Thanks in advance, MSKBIG-IP : header added timestamp
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi For the case where multiple identical headers (e.g. X-FORWARDED-FOR) accumulate as a request passes through a series of entities ( e.g. clients, forward-proxies, CDNs, reverse-proxies, & servers ) : X-FORWARDED-FOR 10.10.20.1 X-FORWARDED-FOR 199.16.144.5 X-FORWARDED-FOR 204.15.0.249 Does the request include timestamp data for each header added ? If BIG-IP adds a header , does it record the timestamp somewhere ?
ASM issue- Replacing header info
Hi, My ASm is is replcainf the header infirmation and that is stopping my application to work. How can i stop changing the contents. with direct server (pool member) HTTP/1.1 200 OK Date: Fri, 20 Nov 2015 10:42:01 GMT Server: Apache X-Frame-Options: SAMEORIGIN Last-Modified: Thu, 19 Nov 2015 12:05:21 GMT Accept-Ranges: bytes Content-Length: 24349 X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store, no-cache, must-revalidate Connection: close Content-Type: application/javascript with VIP (ASM enabled) HTTP/1.1 200 OK Connection: close Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Pragma: no-cache Content-Length: 187
TLS/1.0, PCI, and a custom message for HTTP response status codes
By June 30, 2018 we would like to turn off TLS/1.0 on all our HTTPS websites, in order to be compliant with PCI requirements. Instead of just turning TLS/1.0 off, we would like to use that time between now and June 30, 2018 to seamlessly phase the TLS/1.0 out. To do so, our F5 still supports all TLS protocols (TLS/1.0, TLS/1.1, and TLS/1.2), but only the clients supporting TLS/1.1 and above get the actual website content. Everyone else (clients supporting TLS/1.0 only) gets a custom error page informing them about the browser upgrade requirement. To achieve that, I'm using the HTTP status code "426 Upgrade Required". Please see: 4.2 Mandatory Advertisement in RFC2817 Server-initiated upgrade to TLS The expected result is: HTTP/1.1 426 Upgrade Required Upgrade: TLS/1.1, HTTP/1.1 Connection: Upgrade ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... Unfortunately, F5 gives me the following result: HTTP/1.1 426 Unknown Code Upgrade: TLS/1.1, HTTP/1.1 Connection: close ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... My iRule looks like this: Detect TLSv1.0 protocol and send HTTP 426 when HTTP_REQUEST priority 150 { if { [SSL::cipher version] equals "TLSv1" } { log local0. "TLS/1.0 connection detected from [IP::client_addr] for [HTTP::host]" HTTP::respond 426 -version auto content $static::obsolete_browser_page noserver "Upgrade" "TLS/1.1, HTTP/1.1" "Content-Type" "text/html" "Cache-Control" "no-cache" "Retry-After" "60" "Connection" "Close" event disable return } } If I use "Connection" "Upgrade" in the HTTP::respond code, as defined in the aforementioned RFC2817, F5 replaces it with Connection: Keep-Alive in the actual response which is being sent back to the client. My questions are: Question 1: is there a way in F5 to replace the message in HTTP response, so that it says: HTTP/1.1 426 Upgrade Required instead of HTTP/1.1 426 Unknown Code Question 2: is there a way to force F5 to send HTTP header that says: Connection: Upgrade instead of Connection: close or Connection: Keep-AliveDo I need to check HTTP::header exists before checking value?
I feel like this is a simple question, but I can't seem to find a definitive answer... To check the value of a particular HTTP header, I can do this: if { [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } My basic question is "What happens is the Origin header is not passed?"... The spec says that HTTP::header will return null if the header called does not exist. What does this mean for my if statement - is null treated the same as false in an if statement? If the above code example will be problematic if Origin is not passed, can I write the code as a single line, like this: if { [HTTP::header exists Origin] and [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } or does it need to be two separate nested if statements: if { [HTTP::header exists Origin] } { if {[HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } }
iRule Help Inserting Header in HTTP_REQUEST_DATA
Hello, I'm attempting to insert a header which contains error values from a 'Sideband' response. I can't post the whole code due to what it does. For example:- when HTTP_REQUEST { set host_header [HTTP::host] set host_status [string tolower [class match -value [HTTP::host] starts_with DataGroup1]] set uri [HTTP::uri] set uri_status [string tolower [class match -value [HTTP::uri] starts_with DataGroup2]] set sessionid "" if {[HTTP::cookie exists "JSESSIONID"]} { set sessionid [HTTP::cookie value "JSESSIONID"] } if {[HTTP::method] eq "POST" && $host_status eq "on" && $uri_status eq "on"}{ if {[HTTP::header exists "Content-Length"] }{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } HTTP::collect $content_length } } when HTTP_REQUEST_DATA { set payload [HTTP::payload] #DO SOME STUFF# set pool1 [class match -value locale starts_with Datagroup3] if { [active_members $pool1] < 1 } { log local0. "The pool member is down" HTTP::header insert x-error-code Ts-Unavailable ***Above not inserting Header*** } else { #CONSTRUCT SOAP PAYLOAD# #POST DATA TO SIDEBAND SERVICE# set conn [connect -timeout 1000 -status conn_status %Virtual1] set conn_info [connect info -idle -status $conn] set send_info [send -timeout 1000 $conn $request_to_send] set recv_request [recv -timeout 1000 $conn] close $conn if {$recv_request contains "<errorCode>"}{ set start_error "<errorCode>" set end_error "</errorCode>" set pos_error [ string first $start_error $recv_request] set error_path_and_value [substr $recv_request $pos_error "</errorCode>"] set error_value [getfield $error_path_and_value ">" 2] HTTP::header insert x-error-code $error_value ***Above not inserting Header*** #STRIP OUT DATA# } else { #The Service replied with a valid response. #REPLACE DATA WITH RECEIVED DATA# } } HTTP::release } Should this insert the Header into the HTTP Request destined for the Default Virtual/Pool? Am I missing something? Thanks,
Using F5 as a Service Provider with Okta IdP
I've read part 1 and 2 of this article for how to connect F5 as a service provider to Okta: Secure Access to Web Applications with F5 and Okta... - DevCentral However, it doesn't provide instructions for how to get theSingle sign on URLand theAudience URIfor the app, and I also can't find an article for how to connect F5 to the application to pass the header or kerberos auth to. Could someone help me? I'm basically looking for what information I'll need to retrieve and give to the owners of the systems using legacy auth in order to connect those systems to F5 to use Okta auth with them.Rewrite URL in header and add URI
Hi, I have this to achieve, and I'm getting a bit lost: So the client hits a VIP on port 443, SSL is offloaded with a CA certificate (abc.com), and traffic is re encrypted and sent to pool member on port 8044, which has a certificate for xyz.com/some_uri. So I need an iRule to: 1) Change URL in header from abc.com to xyz.com 2) Add /some_uri at the end of URL Is that even possible? I mean the iRules should affect the incoming traffic after it's being decrypted, right? If so, how to design those iRules (it's not a redirect, isn't it?) I was thinking of something like this, but I'm not sure this will do the trick: when HTTP_REQUEST { HTTP::header replace Host xyz.com HTTP::uri /some_uri } Also, the client comes with it's own certificate, which than has to be passed to the pool member to authenticate (not on the F5, the authentication has to be made on the real server). Is it enough to check the Proxy SSL checkbox in the profile?