DELETE method with AS3 is too powerful !
Am I the only one totally freaking out about the fact that with AS3, you just have to send a DELETE method to mgmt/shared/appsvcs/declare and everything is gone ?? All your production system could be wiped off that easily ... From my understanding it's mandatory to have the administrator privilege to use AS3, and administrators can access all the partitions ; so you cannot even create users that would be allowed to manage only specific partitions ... It's all or nothing. In my opinion the least you should do is to get rid of this dangerous default behavior, and instead use the keyword "ALL" to remove all tenants ... ========================== Extract from the doc : Use DELETE to remove configurations for one or more declared Tenants from the target ADC. If you do not specify any Tenants, DELETE removes all of them, which is to say, it removes the entire declared configuration. Indicate the target device and Tenants to remove by appending elements to the main AS3 URL path (/mgmt/shared/appsvcs/declare). By default (just main URL) DELETE removes all Tenants from target localhost. DELETE examples: DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare removes all tenants DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare/T1,T2,T5 removes Tenants T1, T2, and T5 leaving the rest of the most recent declared configuration for localhost in place ========================== Does anyone agree, or have a suggestion to add some security ?
AS3 add another VS to existing tenant
I have deployed the sample AS3 script to create a VS with pool and pool members from here: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS1": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.11" ], "pool": "web_pool_1" }, "web_pool_1": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.10", "192.0.1.11" ] } ] } } } } } Now I want to add another VS to the same tenant (same partition) but when I edit the above script and deploy this: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS2": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.12" ], "pool": "web_pool_2" }, "web_pool_2": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.12", "192.0.1.13" ] } ] } } } } } It replaces the old configuration and I only have MyVS2. How can I add MyVS2 to the current configuration without losing MyVS1?
STATISTIC_SERVER_SIDE_CURRENT_CONNECTIONS in IG-IP 12.1.1?
Hello, I have a pool of two pool members in my DNS/GSLB/Pools pool. The routing is based on topology which is based on source IP. My version is BIG-IP 12.1.1. I am using PowerShell GlobalLBPoolV2 commandlet set_member_enabled_state to disable one pool member when I need to do some maintenance on the server. This works fine and new connections are going where I want them to go. How can I determine pro-grammatically that the existing connections have drained out? Looks like in the older version there was STATISTIC_SERVER_SIDE_CURRENT_CONNECTIONS based on this link https://devcentral.f5.com/articles/icontrol-apps-04-graceful-server-shutdown. I tried calling get_member_statistics, but not sure if the return object has information I need. The goal is to disable pool member and wait for the existing connections to drain.How to modify HTTP URI using ILX Plugin (v13+)
I am trying to implement ILX Plugin for modifying certain HTTP parameters before forwarding the request to the server. I am able to modify the headers using setHeaders. However, I am unable to find a method to modify the URI. eg. /a/b/c?p=np (Transform to) /catch-all?p=np Is there a method I can use to modify the URI ?F5 change source IP address for event notification
Hi Team, I have configured event notification for our DMZ environment, the communication to the device is on self IP address. But for event notification the device is sending WSDL package including the management IP address, I want F5 to include self IP in the WSDL package, please let us know where i can configure it.
