F5 BIG-IP : SSL::disable serverside drops X-Forwarded-Proto ?
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi My site has a VIP that handles SSL traffic ( port 443 ) The corresponding virtual-server is assigned an HTTP profile that inserts X-Forwarded-Proto:https To this virtual-server I recently added an iRule that in the HTTP_REQUEST event conditionally disables SSL via SSL::disable serverside Is it possible that disabling SSL server-side causes F5 to drop the X-Forwarded-Proto header ? or change its value from https to http ? I ask because I'm seeing traffic arrive at destination web-server missing the X-Forwarded-Proto header.BIG-IP : under what conditions does LB_SELECTED event fire ?
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi Under what conditions does the LB_SELECTED event fire ? If within an iRule's HTTP_REQUEST event-processing-block the pool is explicitly set : when HTTP_REQUEST { pool "my-pool-01" } it appears this will trigger the LB_SELECTED event ( following execution of all HTTP_REQUEST event-processing-blocks ). But what about the case where the pool is not explicitly set within any iRule , but the virtual-server routes traffic to default pool ? In this scenario , will the LB_SELECTED event still fire ? Also, do LB_SELECTED event-processing-blocks fire only after all HTTP_REQUEST event-processing-blocks have completed ? So for a stack of 2 iRules, if I have HTTP_REQUEST blocks in iRules 1 & 2 , will an LB_SELECTED block in iRule 1 begin execution only after the HTTP_REQUEST block in iRule 2 has completed execution ? Another question : my event logs seem to indicate that for a client's initial request upon selecting a pool member the LB_SELECTED event will fire, but not re-fire for subsequent requests by same client to the same back-end server. Is this due to keep-alives establishing a session where selected pool node is maintained for session duration ? Or why else would LB_SELECTED event no longer fire ?BIG-IP add custom header
F5 BIG-IP LTM VE v11.4.0 on ESXi I want to add a custom header to my request before rewriting to a backend server : when HTTP_REQUEST { HTTP::header insert uri-original [HTTP::uri] ... HTTP::uri $rewrite_uri pool backend-pool-01 } However my tests do not show this header present. Am I adding the header correctly ? What are the rules around retaining added headers ? How can I log all headers present in my request ? UPDATE ( 2014-11-29 ) : For case where iRule is assigned to a virtual-server with an http profile, I verified above TCL does add header as expected. However, for https case, adding the header writes errors to the f5 logs : Nov 14 22:03:03 f5-01 err bigd[6134]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure. Nov 14 22:03:04 f5-01 err tmm1[8371]: 01220001:3: TCL error: /Common/xheader-irule-01 - Operation not supported (line 1) invoked from within "HTTP::header insert original-uri [HTTP::uri]"
Sorry page redirect
Im trying to set up an iRule that will redirect traffic to an IIS server when there are no active pool members. I have the basics working. However the sorry page will only display properly the first time if there is a uri. If the user refreshes the page or tries a different uri they get a 404. when HTTP_REQUEST { if { [active_members [LB::server pool]] < 1} { HTTP::uri "/" pool /ESI/solr.erp-pool } } How would i configure this irule to apply every time the user refreshes the page or hits the url again?
Local Traffic Policy and iRule events
Hi, I was reading some post about order of execution, in other words if Local Traffic Policy (LTP) executes before or after iRule. Seems that answer is both 🙂 Scenario: VS with all ports allowed LTP with TCP port is not equal to any of 80; 443 and action Reset traffic iRule with CLIENT_ACCEPTED, HTTP_REQUEST, ACCESS_SESSION_STARTED events (actually few more are in iRule) Without any mods to iRule effect is like that: All commands in CLIENT_ACCEPTED are executed LTP is triggered to reset traffic (log action is performed, so I can see it triggers) All commands in HTTP_REQUEST are performed No command in ACCESS_SESSION_STARTED is executed RST-ACK is send to client CLIENT_CLOSED event is triggered So LTP is not preventing CLIENT_ACCEPTED and HTTP_REQUEST events to be triggered but disables other events and resets connection. I can understand why CLIENT_ACCEPTED is triggered but why HTTP_REQUEST? And why using only matching at TCP connection in LTP causes LTP parameter $1 have http included? I am as well setting variable via LTP. From logging it is obvious that this variable is not yet created when CLIENT_CONNECTED event is executed but it is when HTTP_REQUEST triggers. So for some events iRule is executed first for other LTP. Main question is why LTP allows HTTP_REQUEST to be triggered at all? Matching and actions in LTP are only for TCP protocol not HTTP. Reason I am asking is that I planned to use LTP to limit traffic to specified ports but seems it is not a good solution. Seems that it has to be performed in iRule at least when there is some code to be executed in CLIENT_ACCEPTED as there is no way to disable this event anyhow - or maybe there is? Implementation of Reset traffic is a bit weird. It is using TCP RST for that even if it is still allowing HTTP request to be processed. I understand that LTP is targeting HTTP traffic handling but then instead of TCP RST we should be able to use HTTP respond to more gracefully end client connection. I am able to disable HTTP_REQUEST by setting variable in LTP and checking it in HTTP_REQUEST but not in CLIENT_ACCEPTED. That could be avoided if LTP would not allow HTTP_REQUEST to be triggered. I guess that limiting traffic for all port VS is then possible in two ways: AFM policy iRule Or there is some other way? Piotr
Matching ASCII codes %00 - %1f in HTTP::uri
According to: http://www.w3schools.com/tags/ref_urlencode.asp "The ASCII device control characters %00-%1f were originally designed to control hardware devices. Control characters have nothing to do inside a URL." A vendor software has a bug that actually interprets %00-%1f and does some fateful things on the system as a result. I have the vendor software behind the LTM, and want to close the TCP connection for all URLs with these ASCII codes, particularly "%00". What is the best approach to do this? I tried the below block of code, but the request with "%00" in the URI is not being caught in the IF statement. when HTTP_REQUEST { if { [HTTP::uri] contains "%00" }{ HTTP::close TCP::close } }
iRule Redirect loop
Hi I am trying to achieve a simple URL redirect but I keep getting a redirect loop or nothing at all. I get an error of "too many redirects" Condition 1 All requests to "; must be redirected to https://test.tst.train123.com/trace123 only But any other traffic eg. "; must continue to the default pool My problem is when I use the the irule below I get a redirect loop when HTTP_REQUEST { if { [HTTP::host] equals "test.tst.train123.com" } { HTTP::redirect "https://test.tst.train123.com/Trace123 [HTTP::uri]" } } When I try this it doesnt seem to work either. I know I am missing something when HTTP_REQUEST { if { [HTTP::uri] equals "test.tst.train123.com"} { HTTP::redirect "/Trace123" } elseif { [HTTP::uri] equals "; } { pool pool_trace123 } }STREAM replacement effective on some HTTP requests but not others
We have a need to rewrite one of the incoming request header fields, and I'm doing that with STREAM profile - it works, but curiously only on roughly half of the requests. The other requests contain the same original string that matches what we want to replace, but get through without being replaced. The best we can figure is that HTTP requests NOT containing "Content-Length: NNNN" are working for the string replacement, and HTTP requests containing "Content-Length: NNNN" are NOT working for the string replacement. We tried removing the "Content-Length: NNNN" part from the HTTP request, but that did not work either. "Request Chunking" is set to "Rechunk" on the http profile. Any thoughts on what our problem is, or recommendations on what else to try? Thanks.
F5 iRule - Change node dynamically and keep the default pool
Hello, i have written an iRule that changes the destination ip of the http request, it's done by: node $destProxy $destPort after doing that the request goes to the default gateway of the f5 appliance instead of the default pool assigned to the virtual server. i guess the node overrides the default pool. is there a way to use the node inside the iRule and keep the default pool? just to mention, the default pool has more than one nodes so it cannot be the default gateway. thanks or