http
107 TopicsHTTP Monitor to Check USER-COUNT from Ivanti Node – Regex Issues
Hi everyone, I'm trying to configure an HTTP health monitor on an F5 LTM to check a value returned by an external Ivanti (Pulse Secure) node. The goal is to parse the value of the USER-COUNT field from the HTML response and ensure it's below or equal to 3000 users (based on our license limit). If the value exceeds that threshold, the monitor should mark the node as DOWN. The Ivanti node returns a page that looks like this: <!DOCTYPE html ... > <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <head> <title>Cluster HealthCheck</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> </head> <body> <h1>Health check details:</h1> CPU-UTILIZATION=1; <br>SWAP-UTILIZATION=0; <br>DISK-UTILIZATION=24; <br>SSL-CONNECTION-COUNT=1; <br>PLATFORM-LIMIT=25000; <br>MAXIMUM-LICENSED-USER-COUNT=0; <br>USER-COUNT=200; <br>MAX-LICENSED-USERS-REACHED=NO; <br>CLUSTER-NAME=CARU-LAB; <br>VPN-TUNNEL-COUNT=0; <br> </body> </html> I’m trying to match the USER-COUNT value using the recv string in the monitor, like this: recv "USER-COUNT=([0-9]{1,3}|[1-2][0-9]{3}|3000);" I’ve also tried many others. The issue is: even when the page returns USER-COUNT=5000;, the monitor still reports the node as UP, when it should be DOWN. The regex seems to match incorrectly. What I need: A working recv regex that matches USER-COUNT values from 0 to 3000 (inclusive), but fails if the value exceeds that limit. Has anyone successfully implemented this kind of monitor with a numeric threshold check using recv? Is there a reliable pattern that avoids partial matches within larger numbers? Thanks in advance for any insight or working exampleSolved142Views0likes7CommentsServer reporting requests coming from port 80
I have a site using F5 to provided CAC authentication. It's a PHP server, I get these values from the SERVER data: $_SERVER['SERVER_PROTOCOL'] = HTTP/1.1 $_SERVER['SERVER_PORT] = 80 As a user, when I navigate to the site I type HTTPS into the browser, but the site php server still sees it coming in on port 80. Im assuming the connection between the user and the F5 proxy is over HTTPS, but whats the connection between F5 and my server? Is that supposed to be HTTPS? I guess what I'm wondering is... should I be concerned and looking into this deeper?Solved110Views0likes2CommentsHigh CPU utilization (100%).
I observed high CPU utilization (100%) on F5 device, resource provision ASM nominal. I checked the client-side throughput and server-side throughput both are normal but found management interface throughput is very high and what i noticed this is happening in same time period for last 30 days. What could be the reason for this spike. Many thanks in advanced for your time and consideration.1.6KViews0likes14CommentsHSTS is not working.
Hi there, We have one irule is configured on VIP which is redirecting to maintenance page if user access the wrong url on that page HSTS is not working but if we access the right url then HSTS is working. We have enabled HSTS in http profile and that is attached to the same VIP with irule. Is there any way to enable HSTS on maintenance page or any remediation to fix that issue. if { $DEBUG } { log local0. "TEST - Source IP address: [IP::client_addr]" } switch -glob $uri_ext { "/httpfoo*" {set uri_int [string map {"/httpfoo" "/adapter_plain"} $uri_ext]} "/httptest*" {set uri_int [string map {"/httptest" "/adapter_plain"} $uri_ext]} default { HTTP::respond 200 content [ifile get ifile_service_unavailable_html] set OK 0 } } Many thanks in advance.Solved254Views0likes1CommentTelemetry Streaming: getting HTTP statistics via SNMP
Hi F5 community, I am looking to get HTTP statistics (total count, and broken by response code) metrics from Telemetry Streaming via SNMP (seems to be the most viable option). F5-BIGIP-LOCAL-MIB::ltmHttpProfileStat oid: .1.3.6.1.4.1.3375.2.2.6.7.6 However, the stats don't seem to come out correct at all: I do see deltas happening, but they don't match at all the traffic rate I expect to see. Furthermore, I have done some tests where I would start a load testing tool (vegeta) to fire concurrent HTTP requests, for which I do see the logs from the virtual server, but no matching increment in the above SNMP OID entries on none of the profiles configured. What am I doing wrong? does something need to be enabled on the HTTP profile in use to collect those stats? Best, Owayss90Views0likes0CommentsHelp with iRule Proxy
Hi team, I’m working on an iRule where I need to replace the path /admin with the root / and forward the request to the appropriate pool. However, I’m encountering issues with the rule, and it doesn't seem to work as expected. Here’s the first version I implemented: when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "test.com" and [HTTP::path] starts_with "/admin"} { HTTP::path [string map -nocase {"/admin" "/"} [HTTP::path]] pool POOL-A #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-A" } else { pool POOL-B #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-B" } } After some research, I saw that HTTP::path might need to be changed to HTTP::uri. I tried this version: when HTTP_REQUEST { # Log the original URI for debugging log local0. "Original URI: [HTTP::uri]" # Check if the URI starts with "/admin" if {[HTTP::uri] starts_with "/admin"} { # Modify the URI by replacing "/admin" with "/" set new_uri [string map {"/admin" "/"} [HTTP::uri]] HTTP::uri $new_uri # Log the modified URI for debugging log local0. "Modified URI: [HTTP::uri]" # Forward the request to the appropriate pool pool POOL-A } else { # Log default traffic for debugging log local0. "Default traffic - URI: [HTTP::uri], Pool: POOL-B" # Forward to the default pool pool POOL-B } } Issue: Neither version seems to work. When I test requests to /admin, the path replacement does not happen as expected or The replace of path does not allow me to reach any subfolders after root “/” (ex. help, etc etc) and on these objects we faced 404 not found error.Could someone point out what I might be missing or any best practices for this kind of path manipulation? Thanks!102Views0likes1CommentPort Translation & HTTPS -> HTTP
Systeminformation: F5 BIG-IP r2600 Version 17.1.1.1 Build 0.0.2 Hello everyone, We would like to map the following scenario with the f5 BIG-IP I call https://server.domain.com port 443. The BIG-IP should then forward to http://server.domain.com port 55000. Is this even possible? How did you solve it? Configuration: For port translation, we entered port 443 in the virtual server and gave the pool member port 55000. For HTTPS to HTTP we used the following iRule: when HTTP_REQUEST { # Extrahiere den Host und den URI aus der HTTPS-Anfrage set host [HTTP::host] set uri [HTTP::uri] # Leite die Anfrage an die HTTP-Version der gleichen URL weiter HTTP::respond 301 Location "http://$host$uri" log "iRule_HTTP, HTTPS-Anfrage wurde auf HTTP umgeleitet: $host$uri, ClientIP: [IP::client_addr], ClientPort: [TCP::client_port]" } Is the iRule log entry generated before the port translation? The wrong port is in the logs. Best regardsSolved286Views0likes2CommentsRevocation Status in HTTP Request Header
I'm setting up a web app that will use the EDIPI to validate my user's accounts. I think I have a working udnerstanding of how that'll work--I'm going to be setting up a iRule to forward the users EDIPI to the server. (see here) It dawned on me that I'm not really sure how that process works with the revokation status. If their CAC is revoked will CLIENTSSL_HANDSHAKE or HTTP_REQUEST_RELEASE fire? I'm picturing still getting their EDIPI off the CAC and setting that in the header, but also getting their revocation status and putting a yes/no in the header for "x-revoked". I could easily then check that in my server code. I believe that's how that works with Cloud 1. Is that the way I'd do that, or would the best practice be to just not send their request at all somehow?Solved625Views0likes2Comments