BIG-IP : http profile : insert x-forwarded-for : enabled
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi HTTP Profile Insert X-Forwarded-For : Enabled Suppose the client has already added the "X-Forwarded-For" header value to the request. How will BIG-IP behave ? Will it leave the existing header value intact ? Or will it overwrite the value with what it believes to be the request client ip ? Further, at what point in request-processing does the insert/replace header operation occur ? Does it occur before iRule processing so that the header value is available within the iRule event processing when HTTP_REQUEST {} ?BIG-IP : http profile : insert multiple headers
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi Via the web-admin, I can create/edit an http profile and set this field : Request Header Insert = "X-Forwarded-Proto:http" But what if I want to insert multiple headers ? What is the syntax ? Further, does Request Header Insert erase any pre-existing request headers ? Also, I set Insert X-Forwarded-For to Enabled but logs do not show header X-Forwarded-For to be present.BIG-IP : HTTP Profile Insert X-Forwarded-For Enabled but not found in request headers collection
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi For a Virtual-Server assigned an HTTP Profile configured with : Insert X-Forwarded-For Enabled under what circumstances would the header not be inserted ? My iRule logs : when HTTP_REQUEST { log local0. "X-Forwarded-For header = [HTTP::header X-Forwarded-For]" ` indicate header is not present -- here is log output : `X-Forwarded-For header = Could disabling HTTP_REQUEST event at end of iRule affect HTTP Profile ability to add the header ?
Attaching w3c iRule to VS
Hi, I'm in midst of preparation to attach w3c iRule to all the VS in my internet facing BIGIP. I would be attaching to all the VS with http profile. But just wondering, if there would be any impact on the configuration (or change in Properties of VS) when I attach the iRule in question to the VS. Please confirm. Thanks, MSKDifferentiating the connections based on headers || HTTP Profile
Hi, I have a scenario wherein the app team wants to publish an application both to external and internal (intranet). However, the requirement from them is to check on BIG IP to leverage HTTP profile (or iRule) to segregate between external and internal users. They want to have something like http profile = abc.com_external implies external user http profile = abc.com_internal implies internal user Now, below is the traffic flow for both scenarios, External End user >>> External BIGIP >>> Internal BIGIP >>> Backend Servers Internal End user >>>> Internal BIGIP >>> Backend Servers So, the only difference basically is that for external connections the internal BIGIP would see the source as the external BIGIP. Now, my approach is if we can insert something in the header on external BIGIP and monitor for it on the internal BIGIP then we could differentiate between external and internal users. Internal connections would be parsed as normal. Therefore, at the app level on backend servers they could differentiate between external connections by monitoring the newly added header. Not sure if this could be achievable but would be great if you could provide some help and thoughts. Br, MSKApply Persistence Cookie on iRule (multi pool)
Hello, We use the bellow iRule to LB to multiple pools depending on URI: when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { $uri starts_with "/content" } { pool Pool_CRM81_Content_80 } elseif { $uri starts_with "/ecommunications_ccfra" } { pool Pool_CRM81_ccfra } else { drop } } We'd Like to apply persistence cookie for Pool_CRM81_ccfra Only. Trying to add command "persist cookie" failed, can you give advices please? Thank you in advance
APM Returning "Big IP" in Server field, but need to hide that information.
I have one of my customers running through APM for some SAML authentication. One of their concerns is that when inspecting some headers the Server field is populated with "Big IP", while the customer would prefer another layer of security through obfuscation. It appears that the "Server: Big IP" field is being populated after the 302 redirect from APM when /my.policy is served. Is it possible to hide this field? Due to it being in APM I believe I will need this statement: when CLIENT_ACCEPTED { to get access to restricted URIs ACCESS::restrict_irule_events disable } However, in the irule, is there a way to tell the BigIP to return a different, or no, value in the Server field? Is there a way to do it in the HTTP profile maybe? Thanks.
Device not outputting HTTP Header error into syslog?
I have a production BIG-IP running v15.1.0.4 that is showing unexpected behaviour on a certain LTM error code. I was trying to troubleshoot some connectivity errors and it turned out that the client was sending an oversize HTTP Request header which was greater than the byte limit set in the HTTP "Max header size" value. Normally we would expect to see error code 011f0005 "HTTP header (xxx) exceeded maximum allowed size of 32768" but in this case nothing was observed. A different request with more than the maximum *number* of headers did trigger the separate event "011f0011:3: HTTP header count exceeded maximum allowed count", so the LTM logging is working fine for other codes, just not the header size one. I've compared the same requests on a different F5 pair running the same software version that front a test version of the website affected, and the log entry is being output to syslog as expected, so it seems specific to this production device pair. Is there any way to check lower level logging settings or compare sys db flags between these two pairs so I can try and work out why the error didn't log as expected? Thought it was worth an ask on here prior to raising a suport ticket. Many thanks, DanHTTP_Profile breaking application that relies on Host_header
We are trying to migrate a Web Application from old ACE Load Balancer to F5. The nodes serving the application apply style sheets to the page based on the HTTP Host Header that is received in the GET request. Depending on the FQDN that is called from the browser the application applies a particular style sheet or another. This is currently working as expected in a really old Cisco ACE Load Balancer that does not do any inspection at the HTTP layer other than using SSL. The only way for it to work in the F5 is by removing the HTTP profile so that HTTP inspection does not happen. However, we cannot remove the http_profile because we need cookie persistence and also SSL encryption which is impossible to use without the http_profile. These are my questions: Is there a way to do SSL offloading and cookie persistence in the F5 without using and HTTP profile so that the F5 passes the GET seamlessly without looking at it at all? If there is no way, what you think it could be the cause of the issue here? I know is a very difficult question to answer without looking at more details but general ideas will be appreciated as I am out of ideas right now in how to make this work and the coders do not really want to make any changes to the application to provide me with multiple URIs so that the F5 makes the decision based on that.
JavaScript is not been compressed by HTTP compression profile
i've enabled HTTP compression profile for my one of the web application with Content list box check marked.I've include keyword "text/javascript" and "application/javascript" in content list box.after updating the HTTP profile to Virtual server and seems that Javascript content in HTTP header is not getting compressed by http profile. Content Type Compression (bytes)Pre-CompressPost-Compress HTML 8.3T 1.9T CSS 3.6M 922.7K JavaScript 0 0 XML 291 233 Any thoughts?