An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains reserved tls extension values. (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtmltls-extensiontype-values-1). The Client Hello request in the SSL Handshake was captured and contained an Extensions list, which included a reserved TLS Extension value (17156), which the F5 isn't presenting in Server Hello. I need an irule that can allow that Extension to be added on the client ssl profile so the ssl handshake doesn't fail.
How to validate receive string and set multiple send string
For one of the VIP below is the HTTP Send String I configured. GET /portal/portaladmin/healthCheck HTTP/1.1\r\nHost: TEST.TEST.Ca\r\nConnection: Close\r\n\r\n How to confirm what I am receiving in as receive string? I need to set Receive String as 401. ? I used Curl and I see 401 is showed up ( marked Black ). So is it that I only need to write 401 in the Receive String of Monitor ? 2nd question I need to set multiple monitor for different services configured on same server. How to set multiple send string from a single Monitor Configuration. ? Let say if I am configuring 2 send string and 2 corresponding receive string how to set that when both of the String Condition need to be True as a condition to mark the VIP live. ? [admin@F5:Active:In Sync] ~ # curl -vk https://test.test.ca/portal/portaladmin/healthCheck * About to connect() to test.test.ca port 443 (#0) *Trying 10.8.16.62... connected * Connected to test.test.ca (10.8.16.62) port 443 (#0) * successfully set certificate verify locations: *CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-GCM-SHA384 * Server certificate: *subject: C=CA; ST=ns; L=Halifax; O=Nova Scotia Power Inc; OU=IT; CN=test.test.ca *start date: 2019-04-17 00:00:00 GMT *expire date: 2021-04-21 12:00:00 GMT *subjectAltName: test.test.ca matched *issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA *SSL certificate verify ok. > GET /portal/portaladmin/healthCheck HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 > Host: test.test.ca > Accept: */* > < HTTP/1.1 401 Unauthorized < Content-Type: text/html < Server: Microsoft-IIS/10.0 < WWW-Authenticate: Negotiate < WWW-Authenticate: NTLM < X-Powered-By: ASP.NET < Date: Mon, 05 Aug 2019 18:41:27 GMT < Connection: close < Content-Length: 1293 < Vary: Accept-Encoding < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>401 - Unauthorized: Access is denied due to invalid credentials.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div> </div> </body> </html> * Closing connection #0 * SSLv3, TLS alert, Client hello (1):
Do I need to check HTTP::header exists before checking value?
I feel like this is a simple question, but I can't seem to find a definitive answer... To check the value of a particular HTTP header, I can do this: if { [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } My basic question is "What happens is the Origin header is not passed?"... The spec says that HTTP::header will return null if the header called does not exist. What does this mean for my if statement - is null treated the same as false in an if statement? If the above code example will be problematic if Origin is not passed, can I write the code as a single line, like this: if { [HTTP::header exists Origin] and [HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } or does it need to be two separate nested if statements: if { [HTTP::header exists Origin] } { if {[HTTP::header Origin] ends_with "example.com" } { ...do stuff here... } }
Using F5 as a Service Provider with Okta IdP
I've read part 1 and 2 of this article for how to connect F5 as a service provider to Okta: Secure Access to Web Applications with F5 and Okta... - DevCentral However, it doesn't provide instructions for how to get theSingle sign on URLand theAudience URIfor the app, and I also can't find an article for how to connect F5 to the application to pass the header or kerberos auth to. Could someone help me? I'm basically looking for what information I'll need to retrieve and give to the owners of the systems using legacy auth in order to connect those systems to F5 to use Okta auth with them.
TLS/1.0, PCI, and a custom message for HTTP response status codes
By June 30, 2018 we would like to turn off TLS/1.0 on all our HTTPS websites, in order to be compliant with PCI requirements. Instead of just turning TLS/1.0 off, we would like to use that time between now and June 30, 2018 to seamlessly phase the TLS/1.0 out. To do so, our F5 still supports all TLS protocols (TLS/1.0, TLS/1.1, and TLS/1.2), but only the clients supporting TLS/1.1 and above get the actual website content. Everyone else (clients supporting TLS/1.0 only) gets a custom error page informing them about the browser upgrade requirement. To achieve that, I'm using the HTTP status code "426 Upgrade Required". Please see: 4.2 Mandatory Advertisement in RFC2817 Server-initiated upgrade to TLS The expected result is: HTTP/1.1 426 Upgrade Required Upgrade: TLS/1.1, HTTP/1.1 Connection: Upgrade ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... Unfortunately, F5 gives me the following result: HTTP/1.1 426 Unknown Code Upgrade: TLS/1.1, HTTP/1.1 Connection: close ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... My iRule looks like this: Detect TLSv1.0 protocol and send HTTP 426 when HTTP_REQUEST priority 150 { if { [SSL::cipher version] equals "TLSv1" } { log local0. "TLS/1.0 connection detected from [IP::client_addr] for [HTTP::host]" HTTP::respond 426 -version auto content $static::obsolete_browser_page noserver "Upgrade" "TLS/1.1, HTTP/1.1" "Content-Type" "text/html" "Cache-Control" "no-cache" "Retry-After" "60" "Connection" "Close" event disable return } } If I use "Connection" "Upgrade" in the HTTP::respond code, as defined in the aforementioned RFC2817, F5 replaces it with Connection: Keep-Alive in the actual response which is being sent back to the client. My questions are: Question 1: is there a way in F5 to replace the message in HTTP response, so that it says: HTTP/1.1 426 Upgrade Required instead of HTTP/1.1 426 Unknown Code Question 2: is there a way to force F5 to send HTTP header that says: Connection: Upgrade instead of Connection: close or Connection: Keep-AliveBIG-IP : http profile : insert x-forwarded-for : enabled
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi HTTP Profile Insert X-Forwarded-For : Enabled Suppose the client has already added the "X-Forwarded-For" header value to the request. How will BIG-IP behave ? Will it leave the existing header value intact ? Or will it overwrite the value with what it believes to be the request client ip ? Further, at what point in request-processing does the insert/replace header operation occur ? Does it occur before iRule processing so that the header value is available within the iRule event processing when HTTP_REQUEST {} ?
Cannot POST files >60KB via BIGIP LTM
Hi, My Customers are facing an issue wherein the users not able to POST files >60KB to an application abc.xyz.com hosted on BIGIP. Below is the error they see, {"errors":["errors.adt.ci.metainfo.provider.not.found "]} However, they are able to send directly to the backend server without any issues. For the above VS on BIGIP, the default HTTP profile has been attached wherein the Maximum Header Size is as around 32KB. Is there anyway to increase this file limit or solve this issue ??? Thanks in advance, MSKRewrite URL in header and add URI
Hi, I have this to achieve, and I'm getting a bit lost: So the client hits a VIP on port 443, SSL is offloaded with a CA certificate (abc.com), and traffic is re encrypted and sent to pool member on port 8044, which has a certificate for xyz.com/some_uri. So I need an iRule to: 1) Change URL in header from abc.com to xyz.com 2) Add /some_uri at the end of URL Is that even possible? I mean the iRules should affect the incoming traffic after it's being decrypted, right? If so, how to design those iRules (it's not a redirect, isn't it?) I was thinking of something like this, but I'm not sure this will do the trick: when HTTP_REQUEST { HTTP::header replace Host xyz.com HTTP::uri /some_uri } Also, the client comes with it's own certificate, which than has to be passed to the pool member to authenticate (not on the F5, the authentication has to be made on the real server). Is it enough to check the Proxy SSL checkbox in the profile?How to enable CORS on LTM?
Im very very new to the f5, and Ive read a few documents in the forum today on how to enable CORS. First with iRules (complex method)- outside of the scope of what I am being asked to do, but if its the only way then im all for it versus http profile/header insert (closer to what I am looking to do) From what I have read all around though, it seems these solutions are for ASM model. While attempting to do the simple method of using the http profile and header insert, the options are not available or not as whats described in other threads, could be I need to look around more. Any help/guidance is appreciated. I will continue reading what others have posted before and continue my own learning in this process but thought it best to ask first to save time and effort if its not even an option on the LTM. For reference the LTM appliance is on v14.0iRule to use HEADER name and value to redirect bot traffic to a specific pool
We are looking for the detail: "X-APP-WHITELIST" in the header equal to "8" OR if the user-agent has, "googlebot" discovered in the header. Not looking at the XFF part of the header. Is there a better name than, "googlebot" to use? Thank you all for your replies. This is awesome. when HTTP_REQUEST { if { [HTTP::header exists X-APP-WHITELIST] and [HTTP::header X-APP-WHITELIST] equals "8" or [string tolower [HTTP::header User-Agent]] contains "googlebot" } { pool A } else { pool default } }