Maintenance page - hosted on LTM or redirect with fallback host - or both?
I'm in the process of implementing an automated maintenance page that is displayed when I have a pool with no healthy members. Looking around, I see two distinct methods of doing this - utilizing the fallback host feature and redirecting to another url, or setting up a page to be hosted on the LTM and using an iRule with " [active_members [LB::server pool]] < 1" in it. Does anyone have any opinions on which one is preferred, and why? Currently, I'm using the fallback host method and I'm redirecting to a page hosted on AWS. My setup includes about 70 virtual servers on a 3600 HA cluster - some are QA, some are non-http. I will likley have the need for multiple versions of the maintenance page, depending on the site content it fronts. The one thing I do see as an advantage of the LTM hosted option is that an iRule code example shows a refresh option being used to automatically pull up the healthy site when it becomes available. Thanks!! Chris324Views0likes5CommentsTCP::collect and large TLS v1.3 client hello packets
Is anyone using iRules successfully to parse SNI names from the new TLS 1.3 hybridized Kyber client hello packets? The problem is the these packets are larger than MTU(?) size, around ~1800 bytes. Normal hello packets are ~500 bytes. I'm using TCP profile for which iRule parses SNI name to pass the connection as is to correct destination pool. How to reproduce: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { # [TCP::payload length] shows only 1352, rest of packet missing, CLIENT_DATA is never called again } It only ever gets the first ~1352 bytes from packet, CLIENT_DATA is only called once, seems there is no way to get rest of the packet. If I add argument to collect length >1500 with "TCP::collect 1600", then it will read the whole ~1800 byte packet in first CLIENT_DATA. But this will break all connections that send normal small ~500 byte hello packets, as it just keeps on waiting for data indefinitely. Is there any workaround? BIG-IP version 16.1.4.1.Solved100Views0likes4CommentsOne Connect not keeping connection open on HTTP 204 No Content
We have an application that returns a 'HTTP 204 No Content' response on 99% of all requests. These connections are being kept open and reused on the client side of the F5. The problem is the Load Balancer closes these connections on the server side right after the HTTP 204 RESPONSE is received from the server. When we send a HTTP 200 the connection is kept open and reused(normal One Connect operation). Is there an iRule that we can apply to the VIP to keep the connection open even when the Server returns a 'HTTP 204 No Content'? Thanks542Views0likes9CommentsIrule to block specific users from login to back office system
Hi guys, i need your help to fine tune my Irule script i need to catch the username ( convert it to lower case ) and than match it to the data group list. if its not exist on the DataGroup list, send 403. so basically is a post method only and the uri always come with /login the payload is form data that contains the username and the password as you see at the form data my irule looks like this: Code when CLIENT_ACCEPTED { log local0. "[IP::client_addr]: HTTP Client Connected" } when HTTP_REQUEST { if {([string tolower [HTTP::uri]] ends_with "login") and ([HTTP::method] eq "POST")} { Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576} { set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { set username [lindex [split [string tolower [HTTP::payload]] "\""] 3] log local0. "Split payload and take username" if { [class match $username equals BOAgentName] } { log local0. "username matches data-group and this connection will be rejected" log local0. "BoAgent Blocked. Agent=$username and Source IP=[IP::client_addr]," HTTP::respond 403 } else { log local0. "BoAgent Allowed" } } but its not working for me.. 😞Solved681Views0likes5CommentsConnection limit on virtual server and message back to client
I am trying to set max connection limit and connection/sec on a virtual server, once the max connection limit is reached can LTM send message back to client that " it is over limit, please try after some time" or any schedule that try during this time window ?? Do we need to make any changes of back end servers in pool ? Will appreciate your answers.921Views0likes7CommentsRemoving port from a redirect
Hi all, One of our web developers has asked me if we could strip off a port number in a redirect they are doing. I thought the following would do this, but it doesn't appear to work. when HTTP_REPSONSE { if { [HTTP::is_redirect] } { if { [HTTP::header Location] contains "www.acme.com:10040" } { log "Original Location value: [HTTP::header Location]" HTTP::header replace Location [string map -nocase {www.acme.com:10400 www.acme.com} [HTTP::header value Location]] log "Updated Location value: [HTTP::header Location]" return } } } And here is what is written to the log Original Location value: www.acme.com:10040/secure/discussion-forum Updated Location value: www.acme.com:10040/secure/discussion-forum Note: actually the log includes http but if I enter in a URL in this new forum s/w it does odd things to it. Any help appreciated. Craig437Views0likes9CommentsIcall script argument
Hello! How I can translate to icall script argument from APM via iRule? Example. I want generate user certificate SSL via APM. I wrote bash script, but it should be called with two argument - UserName and UserDomain. Thank you! sys icall script gcc_script { app-service none definition { exec /home/root/scripts/certificates.sh $UserDN $DomainDN exec istats remove "GCC generate for UserDN" } description none events none }280Views0likes1Comment