Why you have broken DevCentral?
Why oh why have you broken DevCentral completely? None of the google hits to devcentral don't work anymore. None of the internal links in devcentral to other articles don't work. Fonts and the UI is horrible to read. Articles can't be opened to new tabs or windows, because links are not links but some javascript shit. If I still manage to find some article, like this https://devcentral.f5.com/s/articles/irules-101-01-introduction-to-irules, I would like to be able to freaking READ THE CONTENT! Not some 404 page not found pages. Those I have read already too many times. Please, bring the old working site back.
Mattermost, F5 LTM, and Websockets
I recently worked with a team that wanted to use the F5 Local Traffic Manager (LTM) feature to load balance connections to their new deployment of the Mattermost open source messaging platform within their on-premises datacenter. This application uses both HTTPS and Websockets connections for real-time chat. We ran into a few configuration issues but eventually found the right combination of “nerd knobs” to allow successful ingress traffic. This post is to consolidate these details and hopefully save time to other F5 engineers attempting to do the same. Business Requirements Ingress (client-side) connections TLS 1.1 or higher Support Websockets Only allow customized Mattermost mobile (iOS and Android) applications, provisioned from within the organization and using a custom header, to connect from the public Internet. The same VIP for the mobile traffic should be used by internal desktop or web browsers, which will not include this custom header Virtual Server Configuration The virtual server configuration was fairly straight forward: Protocol Profile (Client) = a mobile optimized TCP profile Protocol Profile (Server) = a LAN optimized TCP profile SSL Profile (Client) = profile with the Option No TLSv1 enabled SSL Profile (Server) = standard serverssl profile or custom one WebSocket Profile = WebSocket (or a custom one with this as the parent) SNAT = custom pool, but AutoMap would work OneConnect = standard oneconnect profile (or a custom one with this as the parent) Default Persistence = cookie Fallback Persistence = source address Pool = Mattermost server pool iRule = custom Mattermost iRule Mattermost iRule To meet some of the business requirements a custom iRule was created to handle some of the conditions outlined. Comments in-line, but this checks to see if the connection was outside of the organization and if so verifies the presence of the custom HTTP header and value. This also checks to see if the connection was requested to upgrade to Websockets, and if it is, change the HTTP filter from full parsing to passthrough mode. when HTTP_REQUEST { if { !(IP:addr [IP::client_addr] equals 192.168.0.0/255.255.255.0]) } { Request from IP outside of organization, check for customer HTTP header if { [HTTP::header x-the-custom-http-header-name] contains "customvalue" } { Custom HTTP header and matching value found if { [string tolower [HTTP::header Upgrade]] contains "websocket" }{ Connection is requesting WebSockets, stop HTTP parsing HTTP::disable } } elseif { [HTTP::cookie exists MMAUTHENTOKEN] && [HTTP::cookie exists MMUSERID] } { Since WebSocket connections do not have HTTP Header, check to see if connection has already authenticated and allow the connection return } else { Connection fails conditions, reject it reject } } else { if { [string tolower [HTTP::header Upgrade]] contains "websocket" }{ Connection is requesting WebSockets, stop HTTP parsing HTTP::disable } } }
oauth server generated jwt token problem
Hi all, We have a customer try to do oauth with a dovecot server, they have the following problems using the f5 as a oauth server: The "typ" jwt header is missing, this should be set to "JWT". F5 set the JWT token nbf (not valid before) to some minutes in the past, this breaks dovecot auth. Customer want to use the following oauth features, are these supported? https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html Do you know how the above could be customized in f5 to set to values the dovecot would accept? Thank you for any hint. PeterPolicies to move HTTPS traffic
I am trying to share a 443 NAT on a firewall sending traffic to the LTM. Once it gets to the F5 I want formview.xxx.org to go to pool-Forms and WEBview.xxx.org to go to pool-WEB. Is that possible with HTTPS traffic? Do the nodes need to use http? Its been 10 years since I have worked on LTMs - I have a fair amount of refreshing and catching up. Thanks in advance. JohnRabbitMQ monitor.
We are trying to configure RabbitMQ health monitors to determine which node is primary and send all traffic to it, and failover if the primary goes down. Configuration is 2 nodes in two different Azure regions (total 4) with web services and RabbitMW running on all 4. Any thoughts? Frank
Irule difference http to https redirect ?
Hi Team , What is the difference between below 2 Irules , How irule1 is different from irule2 in working ? #Rule 1 when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } # Rule 2 when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } Previous Next
Load balancing the ISE services Radius and HTTPS
I'm trying to load balance the Cisco ISE services Radius and HTTPS service using the F5 LTM. To setup the irule i'm following the procedure given on the Cisco portal https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200317-F5-LTM-loadbalancing-Radius-and-HTTP-tra.html For Guest portal authentication it is required to match Radius Authentication with HTTP session and ensure that they all land on the same Server. In this guide they have given the irule for the Radius and HTTPS services but when i apply the Radius irule, F5 drops all the connections. It receives the connection but it doesn't forward the connection to pool members. iRule code for Radius VS: adding persistence based on Calling-Station-ID when LB_SELECTED { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 31]" [LB::server addr] } lookup and adding persistence based on Framed-IP-Addr when CLIENT_ACCEPTED { log local0. "session table lookup result for calling station ID of [RADIUS::avp 31]: [session lookup uie "persist:[RADIUS::avp 31]"]" if {[session lookup uie "persist:[RADIUS::avp 31]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]" node [session lookup uie "persist:[RADIUS::avp 31]"] log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 8]" [session lookup uie "persist:[RADIUS::avp 31]"] } } iRule code for HTTP VS: lookup based on client_addr expecting to match entry created based on Framed-IP-Addr when HTTP_REQUEST { log local0. "session table lookup result for web client of [IP::client_addr]: [session lookup uie "persist:[IP::client_addr]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { node [session lookup uie "persist:[IP::client_addr]"] } } In the /var/log/ltm i can see the below errors Aug 29 08:47:13 LB-01 info tmm[16932]: Rule /Common/RADIUS_VS : session table lookup result for calling station ID of b4-6b-fc-db -13-1b: Aug 29 08:47:13 LB-01 err tmm[16932]: 01220001:3: TCL error: /Common/RADIUS_VS - More data required (line 1) (line 1) invoked from within "RADIUS::avp 31" I have checked in the Radius server logs that Calling-Station-ID value is showing up in Radius server logs, not sure why iRule is giving error and dropping the traffic. I'm newbie i'm still learning the iRule. Any help appreciated.
How to send users to different URI based on AD group
Hi, I need some guidance on how to create a APM policy to send users to certain uri's based on their AD group. We have a application called Finesse that the UC team wants all users to login into one url, but get sent to a different uri depending on the users AD group. These users float around to different building so source ip address wont work in this scenario. So what APM options should I use to accomplish this issue? I was looking at the options and saw AD query and landing URI, but I'm 100% sure. thanksAdd irule via tmsh without deleting existing irules, and how to re-order
In v11.5 - need assistance in adding irules via tmsh, without deleting existing irules. tmsh modify /ltm virtual rules { irulename } this removes all the applied irules and only adds the new irule inside the curly braces. I also would like to re-order rules via tmsh, once the irules are applied. Regards,