Multiple http_request event with http::respond
Hello, I need to make two iRules on the same VS. The two are http_request triggered events with http::respond. When I'm doing this it's making a conflict between them. One is working well and the other one is working until it need to send me the http::respond instead of sending me the page I choose the client side receive an error "This site can’t be reached" in the browser side. Is there a solution to this ? Thanks :)
F5 BIG-IP : SSL::disable serverside drops X-Forwarded-Proto ?
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi My site has a VIP that handles SSL traffic ( port 443 ) The corresponding virtual-server is assigned an HTTP profile that inserts X-Forwarded-Proto:https To this virtual-server I recently added an iRule that in the HTTP_REQUEST event conditionally disables SSL via SSL::disable serverside Is it possible that disabling SSL server-side causes F5 to drop the X-Forwarded-Proto header ? or change its value from https to http ? I ask because I'm seeing traffic arrive at destination web-server missing the X-Forwarded-Proto header.BIG-IP : under what conditions does LB_SELECTED event fire ?
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi Under what conditions does the LB_SELECTED event fire ? If within an iRule's HTTP_REQUEST event-processing-block the pool is explicitly set : when HTTP_REQUEST { pool "my-pool-01" } it appears this will trigger the LB_SELECTED event ( following execution of all HTTP_REQUEST event-processing-blocks ). But what about the case where the pool is not explicitly set within any iRule , but the virtual-server routes traffic to default pool ? In this scenario , will the LB_SELECTED event still fire ? Also, do LB_SELECTED event-processing-blocks fire only after all HTTP_REQUEST event-processing-blocks have completed ? So for a stack of 2 iRules, if I have HTTP_REQUEST blocks in iRules 1 & 2 , will an LB_SELECTED block in iRule 1 begin execution only after the HTTP_REQUEST block in iRule 2 has completed execution ? Another question : my event logs seem to indicate that for a client's initial request upon selecting a pool member the LB_SELECTED event will fire, but not re-fire for subsequent requests by same client to the same back-end server. Is this due to keep-alives establishing a session where selected pool node is maintained for session duration ? Or why else would LB_SELECTED event no longer fire ?BIG-IP add custom header
F5 BIG-IP LTM VE v11.4.0 on ESXi I want to add a custom header to my request before rewriting to a backend server : when HTTP_REQUEST { HTTP::header insert uri-original [HTTP::uri] ... HTTP::uri $rewrite_uri pool backend-pool-01 } However my tests do not show this header present. Am I adding the header correctly ? What are the rules around retaining added headers ? How can I log all headers present in my request ? UPDATE ( 2014-11-29 ) : For case where iRule is assigned to a virtual-server with an http profile, I verified above TCL does add header as expected. However, for https case, adding the header writes errors to the f5 logs : Nov 14 22:03:03 f5-01 err bigd[6134]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure. Nov 14 22:03:04 f5-01 err tmm1[8371]: 01220001:3: TCL error: /Common/xheader-irule-01 - Operation not supported (line 1) invoked from within "HTTP::header insert original-uri [HTTP::uri]"
Sorry page redirect
Im trying to set up an iRule that will redirect traffic to an IIS server when there are no active pool members. I have the basics working. However the sorry page will only display properly the first time if there is a uri. If the user refreshes the page or tries a different uri they get a 404. when HTTP_REQUEST { if { [active_members [LB::server pool]] < 1} { HTTP::uri "/" pool /ESI/solr.erp-pool } } How would i configure this irule to apply every time the user refreshes the page or hits the url again?
Local Traffic Policy and iRule events
Hi, I was reading some post about order of execution, in other words if Local Traffic Policy (LTP) executes before or after iRule. Seems that answer is both 🙂 Scenario: VS with all ports allowed LTP with TCP port is not equal to any of 80; 443 and action Reset traffic iRule with CLIENT_ACCEPTED, HTTP_REQUEST, ACCESS_SESSION_STARTED events (actually few more are in iRule) Without any mods to iRule effect is like that: All commands in CLIENT_ACCEPTED are executed LTP is triggered to reset traffic (log action is performed, so I can see it triggers) All commands in HTTP_REQUEST are performed No command in ACCESS_SESSION_STARTED is executed RST-ACK is send to client CLIENT_CLOSED event is triggered So LTP is not preventing CLIENT_ACCEPTED and HTTP_REQUEST events to be triggered but disables other events and resets connection. I can understand why CLIENT_ACCEPTED is triggered but why HTTP_REQUEST? And why using only matching at TCP connection in LTP causes LTP parameter $1 have http included? I am as well setting variable via LTP. From logging it is obvious that this variable is not yet created when CLIENT_CONNECTED event is executed but it is when HTTP_REQUEST triggers. So for some events iRule is executed first for other LTP. Main question is why LTP allows HTTP_REQUEST to be triggered at all? Matching and actions in LTP are only for TCP protocol not HTTP. Reason I am asking is that I planned to use LTP to limit traffic to specified ports but seems it is not a good solution. Seems that it has to be performed in iRule at least when there is some code to be executed in CLIENT_ACCEPTED as there is no way to disable this event anyhow - or maybe there is? Implementation of Reset traffic is a bit weird. It is using TCP RST for that even if it is still allowing HTTP request to be processed. I understand that LTP is targeting HTTP traffic handling but then instead of TCP RST we should be able to use HTTP respond to more gracefully end client connection. I am able to disable HTTP_REQUEST by setting variable in LTP and checking it in HTTP_REQUEST but not in CLIENT_ACCEPTED. That could be avoided if LTP would not allow HTTP_REQUEST to be triggered. I guess that limiting traffic for all port VS is then possible in two ways: AFM policy iRule Or there is some other way? Piotr
Matching ASCII codes %00 - %1f in HTTP::uri
According to: http://www.w3schools.com/tags/ref_urlencode.asp "The ASCII device control characters %00-%1f were originally designed to control hardware devices. Control characters have nothing to do inside a URL." A vendor software has a bug that actually interprets %00-%1f and does some fateful things on the system as a result. I have the vendor software behind the LTM, and want to close the TCP connection for all URLs with these ASCII codes, particularly "%00". What is the best approach to do this? I tried the below block of code, but the request with "%00" in the URI is not being caught in the IF statement. when HTTP_REQUEST { if { [HTTP::uri] contains "%00" }{ HTTP::close TCP::close } }
iRule Redirect loop
Hi I am trying to achieve a simple URL redirect but I keep getting a redirect loop or nothing at all. I get an error of "too many redirects" Condition 1 All requests to "; must be redirected to https://test.tst.train123.com/trace123 only But any other traffic eg. "; must continue to the default pool My problem is when I use the the irule below I get a redirect loop when HTTP_REQUEST { if { [HTTP::host] equals "test.tst.train123.com" } { HTTP::redirect "https://test.tst.train123.com/Trace123 [HTTP::uri]" } } When I try this it doesnt seem to work either. I know I am missing something when HTTP_REQUEST { if { [HTTP::uri] equals "test.tst.train123.com"} { HTTP::redirect "/Trace123" } elseif { [HTTP::uri] equals "; } { pool pool_trace123 } }